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SYSTEMS AND METHODS FOR SECURE TRANSACTION 
MANAGEMENT AND ELECTRONIC RIGHTS PROTECTION 



Fieldfs) of t he Invention^) 



This invention generally relates to computer and/or 
electronic security. 

5 

More particularly, this invention relates to systems and 
techniques for secure transaction management. This invention 
also relates to computer-based and other electronic appliance- 
based technologies that help to ensure that information is 
10 accessed and/or otherwise used only in authorized ways, and 

maintains the integrity, availability, and/or confidentiality of 
such information and processes related to such use. 



The invention also relates to systems and methods for 
15 protecting rights of various participants in electronic commerce 

and other electronic or electronically-facilitated transactions. 



The invention also relates to secure chains of handling and 
control for both information content and information employed to 
20 regulate the use of such content and consequences of such use. It 

also relates to systems and techniques that manage, including 
meter and/or limit and/or otherwise monitor use of electronically 
stored and/or disseminated information. The invention 



WO 96/27155 



PCTAJS96/02303 



particularly relates to transactions, conduct and arrangements 
that make use of, including consequences of use of, such systems 
and/or techniques. 

The invention also relates to distributed and other 
operating systems, environments and architectures. It also 
generally relates to secure architectures, including, for example, 
tamper-resistant hardware-based processors, that can be used to 
establish security at each node of a distributed system. 

Background and Summary of the Invention(s) 

Telecommunications, financial transactions, government 
processes, business operations, entertainment, and personal 
business productivity all now depend on electronic appliances. 
Millions of these electronic appliances have been electronically 
connected together. These interconnected electronic appliances 
comprise what is increasingly called the "information highway." 
Many businesses, academicians, and government leaders are 
concerned about how to protect the rights of citizens and 
organizations who use this information (also "electronic" or 
"digital") highway. 

Electronic Content 

Today, virtually anything that can be represented by 
words, numbers, graphics, or system of commands and 



instructions can be formatted into electronic digital information. 
Television, cable, satellite transmissions, and on-line services 
transmitted over telephone lines, compete to distribute digital 
information and entertainment to homes and businesses. The 
owners and marketers of this content include software 
developers, motion picture and recording companies, publishers 
of books, magazines, and newspapers, and information database 
providers. The popularization of on-line services has also enabled 
the individual personal computer user to participate as a content 
provider. It is estimated that the worldwide market for electronic 
information in 1992 was approximately $40 billion and is 
expected to grow to $200 billion by 1997, according to Microsoft 
Corporation. The present invention can materially enhance the 
revenue of content providers, lower the distribution costs and the 
costs for content, better support advertising and usage 
information gathering, and better satisfy the needs of electronic 
information users. These improvements can lead to a significant 
increase in the amount and variety of electronic information and 
the methods by which such information is distributed. 

The inability of conventional products to be shaped to the 
needs of electronic information providers and users is sharply in 
contrast to the present invention. Despite the attention devoted 
by a cross-section of America's largest telecommunications, 
computer, entertainment and information provider companies to 
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some of the problems addressed by the present invention, only 
the present invention provides commercially secure, effective 
solutions for configurable, general purpose electronic commerce 
transaction/distribution control systems. 

Controlling Electronic Content 

The present invention provides a new kind of "virtual 
distribution environment" (called "VDE" in this document) that 
secures, administers, and audits electronic information use. VDE 
also features fundamentally important capabilities for managing 
content that travels "across" the "information highway." These 
capabilities comprise a rights protection solution that serves all 
electronic community members. These members include content 
creators and distributors, financial service providers, end-users, 
and others. VDE is the first general purpose, configurable, 
transaction control/rights protection solution for users of 
computers, other electronic appliances, networks, and the 
information highway. 

A fundamental problem for electronic content providers is 
extending their ability to control the use of proprietary 
information. Content providers often need to limit use to 
authorized activities and amounts. Participants in a business 
model involving, for example, provision of movies and advertising 
on optical discs may include actors, directors, script and other 



writers, musicians, studios, publishers, distributors, retailers, 
advertisers, credit card services, and content end-users. These 
participants need the ability to embody their range of agreements 
and requirements, including use limitations, into an "extended" 
agreement comprising an overall electronic business model. This 
extended agreement is represented by electronic content control 
information that can automatically enforce agreed upon rights 
and obligations. Under VDE, such an extended agreement may 
comprise an electronic contract involving all business model 
participants. Such an agreement may alternatively, or in 
addition, be made up of electronic agreements between subsets of 
the business model participants. Through the use of VDE, 
electronic commerce can function in the same way as traditional 
commerce — that is commercial relationships regarding products 
and services can be shaped through the negotiation of one or 
more agreements between a variety of parties. 

Commercial content providers are concerned with ensuring 
proper compensation for the use of their electronic information. 
Electronic digital information, for example a CD recording, can 
today be copied relatively easily and inexpensively. Similarly, 
unauthorized copying and use of software programs deprives 
rightful owners of billions of dollars in annual revenue according 
to the International Intellectual Properly Alliance. Content 
providers and distributors have devised a number of limited 
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function rights protection mechanisms to protect their rights. 
Authorization passwords and protocols, license servers, 
"lock/unlock" distribution methods, and non-electronic 
contractual limitations imposed on users of shrink-wrapped 
software are a few of the more prevalent content protection 
schemes. In a commercial context, these efforts are inefficient 
and limited solutions. 

Providers of "electronic currency" have also created 
protections for their type of content. These systems are not 
sufficiently adaptable, efficient, nor flexible enough to support 
the generalized use of electronic currency. Furthermore, they do 
not provide sophisticated auditing and control configuration 
capabilities. This means that current electronic currency tools 
lack the sophistication needed for many real- world financial 
business models. VDE provides means for anonymous currency 
and for "conditionally" anonymous currency, wherein currency 
related activities remain anonymous except under special 
circumstances. 

VDE Control Capabilities 

VDE allows the owners and distributors of electronic 
digital information to reliably bill for, and securely control, audit, 
and budget the use of, electronic information. It can reliably 
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detect and monitor the use of commercial information products. 
VDE uses a wide variety of different electronic information 
delivery means: including, for example, digital networks, digital 
broadcast, and physical storage media such as optical and 
magnetic disks. VDE can be used by major network providers, 
hardware manufacturers, owners of electronic information, 
providers of such information, and clearinghouses that gather 
usage information regarding, and bill for the use of, electronic 
information. 

VDE provides comprehensive and configurable transaction 
management, metering and monitoring technology. It can 
change how electronic information products are protected, 
marketed, packaged, and distributed. When used, VDE should 
result in higher revenues for information providers and greater 
user satisfaction and value. Use of VDE will normally result in 
lower usage costs, decreased transaction costs, more efficient 
access to electronic information, re-usability of rights protection 
and other transaction management implementations, greatly 
improved flexibility in the use of secured information, and 
greater standardization of tools and processes for electronic 
transaction management. VDE can be used to create an 
adaptable environment that fulfills the needs of electronic 
information owners, distributors, and users; financial 
clearinghouses; and visage information analyzers and resellers. 
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Rights and Control Information 

In general, the present invention can be used to protect the 
rights of parties who have: 

5 (a) proprietary or confidentiality interests in electronic 

information. It can, for example, help ensure that 
information is used only in authorized ways; 

(b) financial interests resulting from the use of 

10 electronically distributed information. It can help 

ensure that content providers will be paid for use of 
distributed information; and 

(c) interests in electronic credit and electronic currency 
15 storage, communication, and/or use including 

electronic cash, banking, and purchasing. 

Protecting the rights of electronic community members 
involves a broad range of technologies. VDE combines these 

20 technologies in a way that creates a ^^tributed" electronic 

rights protection "environment." This environment secures and 
protects transactions and other processes important for rights 
protection. VDE, for example, provides the ability to prevent, or 
impede, interference with and/or observation of, important rights 

25 related transactions and processes. VDE, in its preferred 
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embodiment, uses special purpose tamper resistant Secure 
Processing Units (SPUs) to help provide a high level of security 
for VDE processes and information storage and communication. 

The rights protection problems solved by the present 
invention are electronic versions of basic societal issues. These 
issues include protecting property rights, protecting privacy 
rights, properly compensating people and organizations for their 
work and risk, protecting money and credit, and generally 
protecting the security of information. VDE employs a system 
that uses a common set of processes to manage rights issues in 
an efficient, trusted, and cost-effective way. 

VDE can be used to protect the rights of parties who create 
electronic content such as, for example: records, games, movies, 
newspapers, electronic books and reference materials, personal 
electronic mail, and confidential records and communications. 
The invention can also be used to protect the rights of parties 
who provide electronic products, such as publishers and 
distributors; the rights of parties who provide electronic credit 
and currency to pay for use of products, for example, credit 
clearinghouses and banks; the rights to privacy of parties who 
use electronic content (such as consumers, business people, 
governments); and the privacy rights of parties described by 
electronic information, such as privacy rights related to 
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information contained in a medical record, tax record, or 
personnel record. 

In general, the present invention can protect the rights of 
parties who have: 

(a) commercial interests in electronically distributed 
information — the present invention can help ensure, 
for example, that parties, will be paid for use of 
distributed information in a manner consistent with 
their agreement; 

(b) proprietary and/or confidentiality interests in 
electronic information — the present invention can, 
for example, help ensure that data is used only in 
authorized ways; 

(c) interests in electronic credit and electronic currency 
storage, communication, and/or use — this can 
include electronic cash, banking, and purchasing; 
and 

(d) interests in electronic information derived, at least 
in part, from use of other electronic information. 

VDE Functional Properties 
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VDE is a cost-effective and efficient rights protection 
solution that provides a unified, consistent system for securing 
and managing transaction processing. VDE can: 

(a) audit and analyze the use of content, 

(b) ensure that content is used only in authorized ways, 
and 

(c) allow information regarding content usage to be used 
only in ways approved by content users. 

In addition, VDE: 

(a) is very configurable, modifiable, and re-usable; 

(b) supports a wide range of useful capabilities that may 
be combined in different ways to accommodate most 
potential applications; 

(c) operates on a wide variety of electronic appliances 
ranging from hand-held inexpensive devices to large 
mainframe computers; 
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(d) is able to ensure the various rights of a number of 
different parties, and a number of different rights 
protection schemes, simultaneously; 



(e) is able to preserve the rights of parties through a 
series of transactions that may occur at different 
times and different locations; 



(f) is able to flexibly accommodate different ways of 

securely delivering information and reporting usage; 
and 



(g) provides for electronic analogues to "real" money and 
credit, including anonymous electronic cash, to pay 
for products and services and to support personal 
(including home) banking and other financial 
activities. 



VDE economically and efficiently fulfills the rights 
protection needs of electronic community members. Users of 
VDE will not require additional rights protection systems for 
different information highway products and rights problems — nor 
will they be required to install and learn a new system for each 
new information highway application. 
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VDE provides a unified solution that allows all content 
creators, providers, and users to employ the same electronic 
rights protection solution. Under authorized circumstances, the 
participants can freely exchange content and associated content 
control sets. This means that a user of VDE may, if allowed, use 
the same electronic system to work with different kinds of 
content having different sets of content control information. The 
content and control information supplied by one group can be 
used by people who normally use content and control information 
supplied by a different group. VDE can allow content to be 
exchanged "universally" and users of an implementation of the 
present invention can interact electronically without fear of 
incompatibilities in content control, violation of rights, or the 
need to get, install, or learn a new content control system. 

The VDE securely administers transactions that specify 
protection of rights. It can protect electronic rights including, for 
example: 

(a) the property rights of authors of electronic content, 

(b) the commercial rights of distributors of content, 

(c) the rights of any parties who facilitated the 
distribution of content, 
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(d) the privacy rights of users of content, 

(e) the privacy rights of parties portrayed by stored 
and/or distributed content, and 

(f) any other rights regarding enforcement of electronic 
agreements. 

VDE can enable a very broad variety of electronically enforced 
commercial and societal agreements. These agreements can 
include electronically implemented contracts, licenses, laws, 
regulations, and tax collection. 

Contrast With Traditional Solutions 

Traditional content control mechanisms often require users 
to purchase more electronic information than the user needs or 
desires. For example, infrequent users of shrink-wrapped 
software are required to purchase a program at the same price as 
frequent users, even though they may receive much less value 
from their less frequent use. Traditional systems do not scale 
cost according to the extent or character of usage and traditional 
systems can not attract potential customers who find that a fixed 
price is too high. Systems using traditional mechanisms are also 
not normally particularly secure. For example, shrink-wrapping 
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does not prevent the constant illegal pirating of software once 
removed from either its physical or electronic package. 

Traditional electronic information rights protection 
systems are often inflexible and inefficient and may cause a 
content provider to choose costly distribution channels that 
increase a product's price. In general these mechanisms restrict 
product pricing, configuration, and marketing flexibility . These 
compromises are the result of techniques for controlling 
information which cannot accommodate both different content 
models and content models which reflect the many, varied 
requirements, such as content delivery strategies, of the model 
participants. This can limit a provider's ability to deliver 
sufficient overall value to justify a given product's cost in the eyes 
of many potential users. VDE allows content providers and 
distributors to create applications and distribution networks that 
reflect content providers' and users' preferred business models. 
It offers users a uniquely cost effective and feature rich system 
that supports the ways providers want to distribute information 
and the ways users want to use such information. VDE supports 
content control models that ensure rights and allow content 
delivery strategies to be shaped for maximum commercial results. 
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Chain of Handling and Control 

VDE can protect a collection of rights belonging to various 
parties having in rights in, or to, electronic information. This 
information may be at one location or dispersed across (and/or 
moving between) multiple locations. The information may pass 
through a "chain" of distributors and a "chain" of users. Usage 
information may also be reported through one or more "chains" of 
parties. In general, VDE enables parties that (a) have rights in 
electronic information, and/or (b) act as direct or indirect agents 
for parties who have rights in electronic information, to ensure 
that the moving, accessing, modifying, or otherwise using of 
information can be securely controlled by rules regarding how, 
when, where, and by whom such activities can be performed. 

VDE Applications and Software 

VDE is a secure system for regulating electronic conduct 
and commerce. Regulation is ensured by control information put 
in place by one or more parties. These parties may include 
content providers, electronic hardware manufacturers, financial 
service providers, or electronic "infrastructure" companies such 
as cable or telecommunications companies. The control 
information implements "Rights Applications" Rights 
applications "run on" the "base software" of the preferred 
embodiment. This base software serves as a secure, flexible, 
general purpose foundation that can accommodate many 
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different rights applications, that is, many different business 
models and their respective participant requirements. 

A rights application under VDE is made up of special 
purpose pieces, each of which can correspond to one or more basic 
electronic processes needed for a rights protection environment. 
These processes can be combined together like building blocks to 
create electronic agreements that can protect the rights, and may 
enforce fulfillment of the obligations, of electronic information 
users and providers. One or more providers of electronic 
information can easily combine selected building blocks to create 
a rights application that is unique to a specific content 
distribution model. A group of these pieces can represent the 
capabilities needed to fulfill the agreement(s) between users and 
providers. These pieces accommodate many requirements of 
electronic commerce including: 

! the distribution of permissions to use electronic 
information; 

! the persistence of the control information and sets of 
control information managing these permissions; 

! configurable control set information that can be 
selected by users for use with such information; 
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! data security and usage auditing of electronic 
information; and 

! a secure system for currency, compensation and 
debit management. 

For electronic commerce, a rights application, under the 
preferred embodiment of the present invention, can provide 
electronic enforcement of the business agreements between all 
participants. Since different groups of components can be put 
together for different applications, the present invention can 
provide electronic control information for a wide variety of 
different products and markets. This means the present 
invention can provide a "unified," efficient, secure, and 
cost-effective system for electronic commerce and data security. 
This allows VDE to serve as a single standard for electronic 
rights protection, data security, and electronic currency and 
banking. 

In a VDE, the separation between a rights application and 
its foundation permits the efficient selection of sets of control 
information that are appropriate for each of many different types 
of applications and uses. These control sets can reflect both 
rights of electronic community members, as well as obligations 
(such as providing a history of one's use of a product or paying 
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taxes on one's electronic purchases). VDE flexibility allows its 
users to electronically implement and enforce common social and 
commercial ethics and practices. By providing a unified control 
system, the present invention supports a vast range of possible 
transaction related interests and concerns of individuals, 
communities, businesses, and governments. Due to its open 
design, VDE allows (normally under securely controlled 
circumstances) applications using technology independently 
created by users to be "added" to the system and used in 
conjunction with the foundation of the invention. In sum, VDE 
provides a system that can fairly reflect and enforce agreements 
among parties. It is a broad ranging and systematic solution that 
answers the pressing need for a secure, cost-effective, and fair 
electronic environment. 

VDE Implementation 

The preferred embodiment of the present invention 
includes various tools that enable system designers to directly 
insert VDE capabilities into their products. These tools include 
an Application Programmer's Interface ("APF) and a Rights 
Permissioning and Management Language ("RPML"). The 
RPML provides comprehensive and detailed control over the use 
of the invention's features. VDE also includes certain user 
interface subsystems for satisfying the needs of content 
providers, distributors, and users. 



-19- 



WO 96/27155 



PCT/US96/02303 



Information distributed using VDE may take many forms. 
It may, for example, be "distributed" for use on an individual's 
own computer, that is the present invention can be used to 
provide security for locally stored data. Alternatively, VDE may 
5 be used with information that is dispersed by authors and/or 

publishers to one or more recipients. This information may take 
many forms including: movies, audio recordings, games, 
electronic catalog shopping, multimedia, training materials, 
E-mail and personal documents, object oriented libraries, 
10 software programming resources, and reference/record keeping 

information resources (such as business, medical, legal, scientific, 
governmental, and consumer databases). 

Electronic rights protection provided by the present 
15 invention will also provide an important foundation for trusted 

and efficient home and commercial banking, electronic credit 
processes, electronic purchasing, true or conditionally anonymous 
electronic cash, and EDI (Electronic Data Interchange). VDE 
provides important enhancements for improving data security in 
20 organizations by providing "smart" transaction management 

features that can be far more effective than key and password 
based "go/no go" technology. 

VDE normally employs an integration of cryptographic and 
25 other security technologies (e.g. encryption, digital signatures, 
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etc.), with other technologies including: component, distributed, 
and event driven operating system technology, and related 
communications, object container, database, smart agent, smart 
card, and semiconductor design technologies. 

I. Overview 

A. VDE Solves Important Problems and Fills 
Critical Needs 

The world is moving towards an integration of electronic 

information appliances. This interconnection of appliances 

provides a foundation for much greater electronic interaction and 

the evolution of electronic commerce. A variety of capabilities are 

required to implement an electronic commerce environment. 

VDE is the first system that provides many of these capabilities 

and therefore solves fundamental problems related to electronic 

dissemination of information. 

Electronic Content 

VDE allows electronic arrangements to be created 
involving two or more parties. These agreements can themselves 
comprise a collection of agreements between participants in a 
commercial value chain and/or a data security chain model for 
handling, auditing, reporting, and payment. It can provide 
efficient, reusable, modifiable, and consistent means for secure 
electronic content: distribution, usage control, usage payment, 
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usage auditing, and usage reporting. Content may, for example, 
include: 



10 



financial information such as electronic currency and 
credit; 

commercially distributed electronic information such 
as reference databases, movies, games, and 
advertising; and 

electronic properties produced by persons and 
organizations, such as documents, e-mail, and 
proprietary database information. 



15 VDE enables an electronic commerce marketplace that supports 

differing, competitive business partnerships, agreements, and 
evolving overall business models. 



The features of VDE allow it to function as the first trusted 
20 electronic information control environment that can conform to, 

and support, the bulk of conventional electronic commerce and 
data security requirements. In particular, VDE enables the 
participants in a business value chain model to create an 
electronic version of traditional business agreement terms and 
25 conditions and further enables these participants to shape and 
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evolve their electronic commerce models as they believe 
appropriate to their business requirements. 

VDE offers an architecture that avoids reflecting specific 
distribution biases, administrative and control perspectives, and 
content types. Instead, VDE provides a broad-spectrum, 
fundamentally configurable and portable, electronic transaction 
control, distributing, usage, auditing, reporting, and payment 
operating environment. VDE is not limited to being an 
application or application specific toolset that covers only a 
limited subset of electronic interaction activities and participants. 
Rather, VDE supports systems by which such applications can be 
created, modified, and/or reused. As a result, the present 
invention answers pressing, unsolved needs by offering a system 
that supports a standardized control environment which 
facilitates interoperability of electronic appliances, 
interoperability of content containers, and efficient creation of 
electronic commerce applications and models through the use of a 
programmable, secure electronic transactions management 
foundation and reusable and extensible executable components. 
VDE can support a single electronic "world* within which most 
forms of electronic transaction activities can be managed. 

To answer the developing needs of rights owners and 
content providers and to provide a system that can accommodate 
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the requirements and agreements of all parties that may be 
involved in electronic business models (creators, distributors, 
administrators, users, credit providers, etc.), VDE supplies an 
efficient, largely transparent, low cost and sufficiently secure 
system (supporting both hardware/ software and software only 
models). VDE provides the widely varying secure control and 
administration capabilities required for: 

1. Different types of electronic content, 

2. Differing electronic content delivery schemes, 

3. Differing electronic content usage schemes, 

4. Different content usage platforms, and 

5. DiflFering content marketing and model strategies. 

VDE may be combined with, or integrated into, many 
separate computers and/or other electronic appliances. These 
appliances typically include a secure subsystem that can enable 
control of content use such as displaying, encrypting, decrypting, 
printing, copying, saving, extracting, embedding, distributing, 
auditing usage, etc. The secure subsystem in the preferred 
embodiment comprises one or more "protected processing 
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environments", one or more secure databases, and secure 
"component assemblies" and other items and processes that need 
to be kept secured. VDE can, for example, securely control 
electronic currency, payments, and/or credit management 
(including electronic credit and/or currency receipt, 
disbursement, encumbering, and/or allocation) using such a 
"secure subsystem." 

VDE provides a secure, distributed electronic transaction 
management system for controlling the distribution and/or other 
usage of electronically provided and/or stored information. VDE 
controls auditing and reporting of electronic content and/or 
appliance usage. Users of VDE may include content creators who 
apply content usage, usage reporting, and/or usage payment 
related control information to electronic content and/or 
appliances for users such as end-user organizations, individuals, 
and content and/or appliance distributors. VDE also securely 
supports the payment of money owed (including money owed for 
content and/or appliance usage) by one or more parties to one or 
more other parties, in the form of electronic credit and/or 
currency. 

Electronic appliances under control of VDE represent VDE 
'nodes' that securely process and control; distributed electronic 
information and/or appliance usage, control information 
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formulation, and related transactions. VDE can securely manage 
the integration of control information provided by two or more 
parties. As a result, VDE can construct an electronic agreement 
between VDE participants that represent a "negotiation" 
5 between, the control requirements of, two or more parties and 

enacts terms and conditions of a resulting agreement. VDE 
ensures the rights of each party to an electronic agreement 
regarding a wide range of electronic activities related to 
electronic information and/or appliance usage. 

10 

Through use of VDE's control system, traditional content 
providers and users can create electronic relationships that 
reflect traditional, non-electronic relationships. They can shape 
and modify commercial relationships to accommodate the 

15 evolving needs of, and agreements among, themselves. VDE does 

not require electronic content providers and users to modify their 
business practices and personal preferences to conform to a 
metering and control application program that supports limited, 
largely fixed functionality. Furthermore, VDE permits 

20 participants to develop business models not feasible with non- 

electronic commerce, for example, involving detailed reporting of 
content usage information, large numbers of distinct transactions 
at hitherto infeasibly low price points, "pass-along" control 
information that is enforced without involvement or advance 

25 knowledge of the participants, etc. 
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The present invention allows content providers and users 
to formulate their transaction environment to accommodate: 

(1) desired content models, content control models, and 
content usage information pathways, 

(2) a complete range of electronic media and distribution 
means, 

(3) a broad range of pricing, payment, and auditing 
strategies, 

(4) very flexible privacy and/or reporting models, 

(5) practical and effective security architectures, and 

(6) other administrative procedures that together with 
steps (1) through (5) can enable most "real world" 
electronic commerce and data security models, 
including models unique to the electronic world. 

VDE's transaction management capabilities can enforce: 
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(1) privacy rights of users related to information 
regarding their usage of electronic information 
and/or appliances, 

(2) societal policy such as laws that protect rights of 
content users or require the collection of taxes 
derived from electronic transaction revenue, and 

(3) the proprietary and/or other rights of parties related 
to ownership of, distribution of, and/or other 
commercial rights related to, electronic information. 

VDE can support "real" commerce in an electronic form, 
that is the progressive creation of commercial relationships that 
form, over time, a network of interrelated agreements 
representing a value chain business model. This is achieved in 
part by enabling content control information to develop through 
the interaction of (negotiation between) securely created and 
independently submitted sets of content and/or appliance control 
information. Different sets of content and/or appliance control 
information can be submitted by different parties in an electronic 
business value chain enabled by the present invention. These 
parties create control information sets through the use of their 
respective VDE installations. Independently, securely 
deliverable, component based control information allows efficient 
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interaction among control information sets supplied by different 
parties. 

VDE permits multiple, separate electronic arrangements to 
be formed between subsets of parties in a VDE supported 
electronic value chain model. These multiple agreements 
together comprise a VDE value chain "extended" agreement. 
VDE allows such constituent electronic agreements, and 
therefore overall VDE extended agreements, to evolve and 
reshape over time as additional VDE participants become 
involved in VDE content and/or appliance control information 
handling. VDE electronic agreements may also be extended as 
new control information is submitted by existing participants. 
With VDE, electronic commerce participants are free to structure 
and restructure their electronic commerce business activities and 
relationships. As a result, the present invention allows a 
competitive electronic commerce marketplace to develop since the 
use of VDE enables different, widely varying business models 
using the same or shared content. 

A significant facet of the present invention's ability to 
broadly support electronic commerce is its ability to securely 
manage independently delivered VDE component objects 
containing control information (normally in the form of VDE 
objects containing one or more methods, data, or load module 
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VDE components). This independently delivered control 
information can be integrated with senior and other pre-existing 
content control information to securely form derived control 
information using the negotiation mechanisms of the present 
invention. All requirements specified by this derived control 
information must be satisfied before VDE controlled content can 
be accessed or otherwise used. This means that, for example, all 
load modules and any mediating data which are listed by the 
derived control information as required must be available and 
securely perform their required function. In combination with 
other aspects of the present invention, securely, independently 
delivered control components allow electronic commerce 
participants to freely stipulate their business requirements and 
trade offs. As a result, much as with traditional, non-electronic 
commerce, the present invention allows electronic commerce 
(through a progressive stipulation of various control 
requirements by VDE participants) to evolve into forms of 
business that are the most efficient, competitive and useful. 

VDE provides capabilities that rationalize the support of 
electronic commerce and electronic transaction management. 
This rationalization stems from the reusability of control 
structures and user interfaces for a wide variety of transaction 
management related activities. As a result, content usage 
control, data security, information auditing, and electronic 
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financial activities, can be supported with tools that are reusable, 
convenient, consistent, and familiar. In addition, a rational 
approach — a transaction/distribution control standard — allows 
all participants in VDE the same foundation set of hardware 
control and security, authoring, administration, and 
management tools to support widely varying types of 
information, business market model, and/or personal objectives. 

Employing VDE as a general purpose electronic 
transaction/distribution control system allows users to maintain 
a single transaction management control arrangement on each of 
their computers, networks, communication nodes, and/or other 
electronic appliances. Such a general purpose system can serve 
the needs of many electronic transaction management 
applications without requiring distinct, different installations for 
different puiposes. As a result, users of VDE can avoid the 
confusion and expense and other inefficiencies of different, 
limited purpose transaction control applications for each different 
content and/or business model. For example, VDE allows content 
creators to use the same VDE foundation control arrangement for 
both content authoring and for licensing content from other 
content creators for inclusion into their products or for other use. 
Clearinghouses, distributors, content creators, and other VDE 
users can all interact, both with the applications running on their 
VDE installations, and with each other, in an entirely consistent 
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manner, using and reusing (largely transparently) the same 
distributed tools, mechanisms, and consistent user interfaces, 
regardless of the type of VDE activity. 

VDE prevents many forms of unauthorized use of 
electronic information, by controlling and auditing (and other 
administration of use) electronically stored and/or disseminated 
information. This includes, for example, commercially 
distributed content, electronic currency, electronic credit, 
business transactions (such as EDI), confidential 
communications, and the like. VDE can further be used to enable 
commercially provided electronic content to be made available to 
users in user defined portions, rather than constraining the user 
to use portions of content that were predetermined* by a content 
creator and/or other provider for billing purposes. 

VDE, for example, can employ: 

(1) Secure metering means for budgeting and/or 
auditing electronic content and/or appliance usage; 

(2) Secure flexible means for enabling compensation 
and/or billing rates for content and/or appliance 
usage, including electronic credit and/or currency 
mechanisms for payment means; 
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Secure distributed database means for storing 
control and usage related information (and 
employing validated compartmentalization and 
tagging schemes); 

Secure electronic appliance control means; 

A distributed, secure, "virtual black box" comprised 
of nodes located at every user (including VDE 
content container creators, other content providers, 
client users, and recipients of secure VDE content 
usage information) site. The nodes of said virtual 
black box normally include a secure subsystem 
having at least one secure hardware element (a 
semiconductor element or other hardware module for 
securely executing VDE control processes), said 
secure subsystems being distributed at nodes along a 
pathway of information storage, distribution, 
payment, usage, and/or auditing. In some 
embodiments, the functions of said hardware 
element, for certain or all nodes, may be performed 
by software, for example, in host processing 
environments of electronic appliances; 

Encryption and decryption means; 
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(7) Secure communications means employing 
authentication, digital signaturing, and encrypted 
transmissions. The secure subsystems at said user 
nodes utilize a protocol that establishes and 
authenticates each node's and/or participant's 
identity, and establishes one or more secure 
host-to-host encryption keys for communications 
between the secure subsystems; and 

(8) Secure control means that can allow each VDE 
installation to perform VDE content authoring 
(placing content into VDE containers with associated 
control information), content distribution, and 
content usage; as well as clearinghouse and other 
administrative and analysis activities employing 
content usage information. 

VDE may be used to migrate most non-electronic, 
traditional information delivery models (including entertainment, 
reference materials, catalog shopping, etc.) into an adequately 
secure digital distribution and usage management and payment 
context. The distribution and financial pathways managed by a 
VDE arrangement may include: 

! content creators), 
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! distributors), 

! redistributor(s), 

! client administrators), 

! client user(s), 

! financial and/or other clearinghouse(s), 

! and/or government agencies. 

These distribution and financial pathways may also include: 

! advertisers, 

! market survey organizations, and/or 

! other parties interested in the user usage of 

information securely delivered and/or stored using 

VDE. 

Normally, participants in a VDE arrangement will employ the 
same secure VDE foundation. Alternate embodiments support 
VDE arrangements employing differing VDE foundations. Such 
alternate embodiments may employ procedures to ensure certain 
interoperability requirements are met. 

Secure VDE hardware (also known as SPUs for Secure 
Processing Units), or VDE installations that use software to 
substitute for, or complement, said hardware (provided by Host 
Processing Environments (HPEs)), operate in conjunction with 
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secure communications, systems integration software, and 
distributed software control information and support structures, 
to achieve the electronic contract/rights protection environment 
of the present invention. Together, these VDE components 
comprise a secure, virtual, distributed content and/or appliance 
control, auditing (and other administration), reporting, and 
payment environment. In some embodiments and where 
commercially acceptable, certain VDE participants, such as 
clearinghouses that normally maintain sufficiently physically 
secure non-VDE processing environments, may be allowed to 
employ HPEs rather VDE hardware elements and interoperate, 
for example, with VDE end-users and content providers. VDE 
components together comprise a configurable, consistent, secure, 
and "trusted" architecture for distributed, asynchronous control 
of electronic content and/or appliance usage. VDE supports a 
"universe wide" environment for electronic content delivery, 
broad dissemination, usage reporting, and usage related payment 
activities. 

VDE provides generalized configurability. This results, in 
part, from decomposition of generalized requirements for 
supporting electronic commerce and data security into a broad 
range of constituent "atomic" and higher level components (such 
as load modules, data elements, and methods) that may be 
variously aggregated together to form control methods for 
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electronic commerce applications, commercial electronic 
agreements, and data security arrangements. VDE provides a 
secure operating environment employing VDE foundation 
elements along with secure independently deliverable VDE 
components that enable electronic commerce models and 
relationships to develop. VDE specifically supports the unfolding 
of distribution models in which content providers, over time, can 
expressly agree to, or allow, subsequent content providers and/or 
users to participate in shaping the control information for, and 
consequences of, use of electronic content and/or appliances. A 
very broad range of the functional attributes important for 
supporting simple to very complex electronic commerce and data 
security activities are supported by capabilities of the present 
invention. As a result, VDE supports most types of electronic 
information and/or appliance: usage control (including 
distribution), security, usage auditing, reporting, other 
administration, and payment arrangements. 

VDE, in its preferred embodiment, employs object software 
technology and uses object technology to form "containers" for 
delivery of information that is (at least in part) encrypted or 
otherwise secured. These containers may contain electronic 
content products or other electronic information and some or all 
of their associated permissions (control) information. These 
container objects may be distributed along pathways involving 
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content providers and/or content users. They may be securely 
moved among nodes of a Virtual Distribution Environment 
(VDE) arrangement, which nodes operate VDE foundation 
software and execute control methods to enact electronic 
information usage control and/or administration models. The 
containers delivered through use of the preferred embodiment of 
the present invention may be employed both for distributing VDE 
control instructions (information) and/or to encapsulate and 
electronically distribute content that has been at least partially 
secured. 

Content providers who employ the present invention may 
include, for example, software application and game publishers, 
database publishers, cable, television, and radio broadcasters, 
electronic shopping vendors, and distributors of information in 
electronic document, book, periodical, e-mail and/or other forms. 
Corporations, government agencies, and/or individual "end-users" 
who act as storers of, and/or distributors of, electronic 
information, may also be VDE content providers (in a restricted 
model, a user provides content only to himself and employs VDE 
to secure his own confidential information against unauthorized 
use by other parties). Electronic information may include 
proprietary and/or confidential information for personal or 
internal organization use, as well as information, such as 
software applications, documents, entertainment materials, 
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and/or reference information, which may be provided to other 
parties. Distribution may be by, for example, physical media 
delivery, broadcast and/or telecommunication means, and in the 
form of "static" files and/or streams of data. VDE may also be 
used, for example, for multi-site "real-time" interaction such as 
teleconferencing, interactive games, or on-line bulletin boards, 
where restrictions on, and/or auditing of, the use of all or portions 
of communicated information is enforced. 

VDE provides important mechanisms for both enforcing 
commercial agreements and enabling the protection of privacy 
rights. VDE can securely deliver information from one party to 
another concerning the use of commercially distributed electronic 
content. Even if parties are separated by several "steps" in a 
chain (pathway) of handling for such content usage information, 
such information is protected by VDE through encryption and/or 
other secure processing. Because of that protection, the accuracy 
of such information is guaranteed by VDE, and the information 
can be trusted by all parties to whom it is delivered. 
Furthermore, VDE guarantees that all parties can trust that 
such information cannot be received by anyone other than the 
intended, authorized, party(ies) because it is encrypted such that 
only an authorized party, or her agents, can decrypt it. Such 
information may also be derived through a secure VDE process at 
a previous pathway-of-handling location to produce secure VDE 
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reporting information that is then communicated securely to its 
intended recipient's VDE secure subsystem. Because VDE can 
deliver such information securely, parties to an electronic 
agreement need not trust the accuracy of commercial usage 
and/or other information delivered through means other than 
those under control of VDE. 

VDE participants in a commercial value chain can be 
"commercially* confident (that is, sufficiently confident for 
commercial purposes) that the direct (constituent) and/or 
"extended" electronic agreements they entered into through the 
use of VDE can be enforced reliably. These agreements may have 
both "dynamic" transaction management related aspects, such as 
content usage control information enforced through budgeting, 
metering, and/or reporting of electronic information and/or 
appliance use, and/or they may include "static" electronic 
assertions, such as an end-user using the system to assert his or 
her agreement to pay for services, not to pass to unauthorized 
parties electronic information derived from usage of content or 
systems, and/or agreeing to observe copyright laws. Not only can 
electronically reported transaction related information be trusted 
under the present invention, but payment may be automated by 
the passing of payment tokens through a pathway of payment 
(which may or may not be the same as a pathway for reporting). 
Such payment can be contained within a VDE container created 
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automatically by a VDE installation in response to control 
information (located, in the preferred embodiment, in one or more 
permissions records) stipulating the "withdrawal" of credit or 
electronic currency (such as tokens) from an electronic account 
(for example, an account securely maintained by a user's VDE 
installation secure subsystem) based upon usage of VDE 
controlled electronic content and/or appliances (such as 
governments, financial credit providers, and users). 

VDE allows the needs of electronic commerce participants 
to be served and it can bind such participants together in a 
universe wide, trusted commercial network that can be secure 
enough to support very large amounts of commerce. VDE's 
security and metering secure subsystem core will be present at 
all physical locations where VDE related content is (a) assigned 
usage related control information (rules and mediating data), 
and/or (b) used. This core can perform security and auditing 
functions (including metering) that operate within a "virtual 
black box," a collection of distributed, very secure VDE related 
hardware instances that are interconnected by secured 
information exchange (for example, telecommunication) processes 
and distributed database means. VDE further includes highly 
configurable transaction operating system technology, one or 
more associated libraries of load modules along with affiliated 
data, VDE related administration, data preparation, and analysis 
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applications, as well as system software designed to enable VDE 
integration into host environments and applications. VDE's 
usage control information, for example, provide for property 
content and/or appliance related: usage authorization, usage 
auditing (which may include audit reduction), usage billing, 
usage payment, privacy filtering, reporting, and security related 
communication and encryption techniques. 

VDE extensively employs methods in the form of software 
objects to augment configurability, portability, and security of the 
VDE environment. It also employs a software object architecture 
for VDE content containers that carries protected content and 
may also carry both freely available information (e.g, summary, 
table of contents) and secured content control information which 
ensures the performance of control information. Content control 
information governs content usage according to criteria set by 
holders of rights to an object's contents and/or according to 
parties who otherwise have rights associated with distributing 
such content (such as governments, financial credit providers, 
and users). 

In part, security is enhanced by object methods employed 
by the present invention because the encryption schemes used to 
protect an object can efficiently be further used to protect the 
associated content control information (software control 
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information and relevant data) from modification. Said object 
techniques also enhance portability between various computer 
and/or other appliance environments because electronic 
information in the form of content can be inserted along with (for 
example, in the same object container as) content control 
information (for said content) to produce a "published" object. As 
a result, various portions of said control information may be 
specifically adapted for different environments, such as for 
diverse computer platforms and operating systems, and said 
various portions may all be carried by a VDE container. 

An objective of VDE is supporting a 
transaction/distribution control standard. Development of such a 
standard has many obstacles, given the security requirements 
and related hardware and communications issues, widely 
differing environments, information types, types of information 
usage, business and/or data security goals, varieties of 
participants, and properties of delivered information. A 
significant feature of VDE accommodates the many, varying 
distribution and other transaction variables by, in part, 
decomposing electronic commerce and data security functions 
into generalized capability modules executable within a secure 
hardware SPU and/or corresponding software subsystem and 
further allowing extensive flexibility in assembling, modifying, 
and/or replacing, such modules (e.g. load modules and/or 



-43- 



methods) in applications run on a VDE installation foundation. 
This configurability and reconfigur ability allows electronic 
commerce and data security participants to reflect their priorities 
and requirements through a process of iteratively shaping an 
evolving extended electronic agreement (electronic control 
model). This shaping can occur as content control information 
passes from one VDE participant to another and to the extent 
allowed by "in place" content control information. This process 
allows users of VDE to recast existing control information and/or 
add new control information as necessary (including the 
elimination of no longer required elements). 

VDE supports trusted (sufficiently secure) electronic 
information distribution and usage control models for both 
commercial electronic content distribution and data security 
applications. It can be configured to meet the diverse 
requirements of a network of interrelated participants that may 
include content creators, content distributors, client 
administrators, end users, and/or clearinghouses and/or other 
content usage information users. These parties may constitute a 
network of participants involved in simple to complex electronic 
content dissemination, usage control, usage reporting, and/or 
usage payment. Disseminated content may include both 
originally provided and VDE generated information (such as 
content usage information) and content control information may 
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persist through both chains (one or more pathways) of content 
and content control information handling, as well as the direct 
usage of content. The configurability provided by the present 
invention is particularly critical for supporting electronic 
commerce, that is enabling businesses to create relationships and 
evolve strategies that offer competitive value. Electronic 
commerce tools that are not inherently configurable and 
interoperable will ultimately fail to produce products (and 
services) that meet both basic requirements and evolving needs of 
most commerce applications. 

VDE's fundamental configurability will allow a broad 
range of competitive electronic commerce business models to 
flourish. It allows business models to be shaped to maximize 
15 revenues sources, end-user product value, and operating 

efficiencies. VDE can be employed to support multiple, differing 
models, take advantage of new revenue opportunities, and 
deliver product configurations most desired by users. Electronic 
commerce technologies that do not, as the present invention does: 
20 ! support a broad range of possible, complementary 

revenue activities, 
! offer a flexible array of content usage features most 

desired by customers, and 
! exploit opportunities for operating efficiencies, 
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will result in products that are often intrinsically more costly and 
less appealing and therefore less competitive in the marketplace. 

Some of the key factors contributing to the configurability 
5 intrinsic to the present invention include: 

(a) integration into the fundamental control 
environment of a broad range of electronic 
appliances through portable API and programming 
10 language tools that efficiently support merging of 

control and auditing capabilities in nearly any 
electronic appliance environment while maintaining 
overall system security; 

15 (b) modular data structures; 

(c) generic content model; 

(d) general modularity and independence of foundation 
20 architectural components; 

(e) modular security structures; 

(f) variable length and multiple branching chains of 
25 control; and 
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(g) independent, modular control structures in the form 
of executable load modules that can be maintained in 
one or more libraries, and assembled into control 
methods and models, and where such model control 
schemes can "evolve" as control information passes 
through the VDE installations of participants of a 
pathway of VDE content control information 
handling. 

Because of the breadth of issues resolved by the present 
invention, it can provide the emerging "electronic highway" with 
a single transaction/distribution control system that can, for a 
very broad range of commercial and data security models, ensure 
against unauthorized use of confidential and/or proprietary 
information and commercial electronic transactions. VDE's 
electronic transaction management mechanisms can enforce the 
electronic rights and agreements of all parties participating in 
widely varying business and data security models, and this can 
be efficiently achieved through a single VDE implementation 
within each VDE participant's electronic appliance. VDE 
supports widely varying business and/or data security models 
that can involve a broad range of participants at various 'levels" 
of VDE content and/or content control information pathways of 
handling. Different content control and/or auditing models and 
agreements may be available on the same VDE installation. 
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These models and agreements may control content in 
relationship to, for example, VDE installations and/or users in 
general; certain specific users, installations, classes and/or other 
groupings of installations and/or users; as well as to electronic 
content generally on a given installation, to specific properties, 
property portions, classes and/or other groupings of content. 

Distribution using VDE may package both the electronic 
content and control information into the same VDE container, 
and/or may involve the delivery to an end-user site of different 
pieces of the same VDE managed property from plural separate 
remote locations and/or in plural separate VDE content 
containers and/or employing plural different delivery means. 
Content control information may be partially or fully delivered 
separately from its associated content to a user VDE installation 
in one or more VDE administrative objects. Portions of said 
control information may be delivered from one or more sources. 
Control information may also be available for use by access from 
a user's VDE installation secure sub-system to one or more 
remote VDE secure sub-systems and/or VDE compatible, certified 
secure remote locations. VDE control processes such as 
metering, budgeting, decrypting and/or fingerprinting, may as 
relates to a certain user content usage activity, be performed in a 
user's local VDE installation secure subsystem, or said processes 
may be divided amongst plural secure subsystems which may be 
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located in the same user VDE installations and/or in a network 
server and in the user installation. For example, a local VDE 
installation may perform decryption and save any, or all of, usage 
metering information related to content and/or electronic 
appliance usage at such user installation could be performed at 
the server employing secure (e.g., encrypted) communications 
between said secure subsystems. Said server location may also 
be used for near real time, frequent, or more periodic secure 
receipt of content usage information from said user installation, 
with, for example, metered information being maintained only 
temporarily at a local user installation. 

Delivery means for VDE managed content may include 
electronic data storage means such as optical disks for delivering 
one portion of said information and broadcasting and/or 
telecommunicating means for other portions of said information. 
Electronic data storage means may include magnetic media, 
optical media, combined magneto-optical systems, flash RAM 
memory, bubble memory, and/or other memory storage means 
such as huge capacity optical storage systems employing 
holographic, frequency, and/or polarity data storage techniques. 
Data storage means may also employ layered disc techniques, 
such as the use of generally transparent and/or translucent 
materials that pass light through layers of data carrying discs 
which themselves are physically packaged together as one 
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thicker disc. Data carrying locations on such discs may be, at 
least in part, opaque. 

VDE supports a general purpose foundation for secure 
transaction management, including usage control, auditing, 
reporting, and/or payment. This general purpose foundation is 
called "VDE Functions" ("VDEFs"). VDE also supports a 
collection of "atomic" application elements (e.g., load modules) 
that can be selectively aggregated together to form various VDEF 
capabilities called control methods and which serve as VDEF 
applications and operating system functions. When a host 
operating environment of an electronic appliance includes VDEF 
capabilities, it is called a "Rights Operating System" (ROS). 
VDEF load modules, associated data, and methods form a body of 
information that for the purposes of the present invention are 
called "control information." VDEF control information may be 
specifically associated with one or more pieces of electronic 
content and/or it may be employed as a general component of the 
operating system capabilities of a VDE installation. 

VDEF transaction control elements reflect and enact 
content specific and/or more generalized administrative (for 
example, general operating system) control information. VDEF 
capabilities which can generally take the form of applications 
(application models) that have more or less configurability which 
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can be shaped by VDE participants, through the use, for 
example, of VDE templates, to employ specific capabilities, along, 
for example, with capability parameter data to reflect the 
elements of one or more express electronic agreements between 
VDE participants in regards to the use of electronic content such 
as commercially distributed products. These control capabilities 
manage the use of, and/or auditing of use of, electronic content, 
as well as reporting information based upon content use, and any 
payment for said use. VDEF capabilities may "evolve" to reflect 
the requirements of one or more successive parties who receive or 
otherwise contribute to a given set of control information. 
Frequently, for a VDE application for a given content model (such 
as distribution of entertainment on CD-ROM, content delivery 
from an Internet repository, or electronic catalog shopping and 
advertising, or some combination of the above) participants 
would be able to securely select from amongst available, 
alternative control methods and apply related parameter data, 
wherein such selection of control method and/or submission of 
data would constitute their "contribution" of control information. 
Alternatively, or in addition, certain control methods that have 
been expressly certified as securely interoperable and compatible 
with said application may be independently submitted by a 
participant as part of such a contribution. In the most general 
example, a generally certified load module (certified for a given 
VDE arrangement and/or content class) may be used with many 
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or any VDE application that operates in nodes of said 
arrangement. These parties, to the extent they are allowed, can 
independently and securely add, delete, and/or otherwise modify 
the specification of load modules and methods, as well as add, 
delete or otherwise modify related information. 

Normally the party who creates a VDE content container 
defines the general nature of the VDEF capabilities that will 
and/or may apply to certain electronic information. A VDE 
content container is an object that contains both content ( for 
example, commercially distributed electronic information 
products such as computer software programs, movies, electronic 
publications or reference materials, etc.) and certain control 
information related to the use of the object's content. A creating 
party may make a VDE container available to other parties. 
Control information delivered by, and/or otherwise available for 
use with, VDE content containers comprise (for commercial 
content distribution purposes) VDEF control capabilities (and 
any associated parameter data) for electronic content. These 
capabilities may constitute one or more "proposed" electronic 
agreements (and/or agreement functions available for selection 
and/or use with parameter data) that manage the use and/or the 
consequences of use of such content and which can enact the 
terms and conditions of agreements involving multiple parties 
and their various rights and obligations. 
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A VDE electronic agreement may be explicit, through a 
user interface acceptance by one or more parties, for example by 
a "junior* party who has received control information from a 
"senior" party, or it may be a process amongst equal parties who 
individually assert their agreement. Agreement may also result 
from an automated electronic process during which terms and 
conditions are "evaluated" by certain VDE participant control 
information that assesses whether certain other electronic terms 
and conditions attached to content and/or submitted by another 
party are acceptable (do not violate acceptable control 
information criteria). Such an evaluation process may be quite 
simple, for example a comparison to ensure compatibility 
between a portion of, or all senior, control terms and conditions in 
a table of terms and conditions and the submitted control 
information of a subsequent participant in a pathway of content 
control information handling, or it may be a more elaborate 
process that evaluates the potential outcome of, and/or 
implements a negotiation process between, two or more sets of 
control information submitted by two or more parties. VDE also 
accommodates a semi-automated process during which one or 
more VDE participants directly, through user interface means, 
resolve "disagreements" between control information sets by 
accepting and/or proposing certain control information that may 
be acceptable to control information representing one or more 
other parties interests and/or responds to certain user interface 
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queries for selection of certain alternative choices and/or for 
certain parameter information, the responses being adopted if 
acceptable to applicable senior control information. 

5 When another party (other than the first applier of rules), 

perhaps through a negotiation process, accepts, and/or adds to 
and/or otherwise modifies, "in place" content control information, 
a VDE agreement between two or more parties related to the use 
of such electronic content may be created (so long as any 

10 modifications are consistent with senior control information). 

Acceptance of terms and conditions related to certain electronic 
content may be direct and express, or it may be implicit as a 
result of use of content (depending, for example, on legal 
requirements, previous exposure to such terms and conditions, 

15 and requirements of in place control information). 

VDEF capabilities may be employed, and a VDE 
agreement may be entered into, by a plurality of parties without 
the VDEF capabilities being directly associated with the 

20 controlling of certain, specific electronic information. For 

example, certain one or more VDEF capabilities may be present 
at a VDE installation, and certain VDE agreements may have 
been entered into during the registration process for a content 
distribution application, to be used by such installation for 

25 securely controlling VDE content usage, auditing, reporting 



-54« 



WO 96/27155 



PCT/US96/02303 



and/or payment. Similarly, a specific VDE participant may enter 
into a VDE user agreement with a VDE content or electronic 
appliance provider when the user and/or her appliance register 
with such provider as a VDE installation and/or user. In such 
events, VDEF in place control information available to the user 
VDE installation may require that certain VDEF methods are 
employed, for example in a certain sequence, in order to be able 
to use all and/or certain classes, of electronic content and/or VDE 
applications. 

VDE ensures that certain prerequisites necessary for a 
given transaction to occur are met. This includes the secure 
execution of any required load modules and the availability of 
any required, associated data. For example, required load 
modules and data (e.g. in the form of a method) might specify 
that sufficient credit from an authorized source must be 
confirmed as available. It might further require certain one or 
more load modules execute as processes at an appropriate time to 
ensure that such credit will be used in order to pay for user use of 
the content. A certain content provider might, for example, 
require metering the number of copies made for distribution to 
employees of a given software program (a portion of the program 
might be maintained in encrypted form and require the presence 
of a VDE installation to run). This would require the execution of 
a metering method for copying of the property each time a copy 
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was made for another employee. This same provider might also 
charge fees based on the total number of different properties 
licensed from them by the user and a metering history of their 
licensing of properties might be required to maintain this 
information. 

VDE provides organization, community, and/or universe 
wide secure environments whose integrity is assured by 
processes securely controlled in VDE participant user 
installations (nodes). VDE installations, in the preferred 
embodiment, may include both software and tamper resistant 
hardware semiconductor elements. Such a semiconductor 
arrangement comprises, at least in part, special purpose circuitry 
that has been designed to protect against tampering with, or 
unauthorized observation of, the information and functions used 
in performing the VDE's control functions. The special purpose 
secure circuitry provided by the present invention includes at 
least one of: a dedicated semiconductor arrangement known as a 
Secure Processing Unit (SPU) and/or a standard microprocessor, 
microcontroller, and/or other processing logic that accommodates 
the requirements of the present invention and functions as an 
SPU. VDE's secure hardware may be found incorporated into, for 
example, a fax/modem chip or chip pack, I/O controller, video 
display controller, and/or other available digital processing 
arrangements. It is anticipated that portions of the present 
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invention's VDE secure hardware capabilities may ultimately be 
standard design elements of central processing units (CPUs) for 
computers and various other electronic devices. 

Designing VDE capabilities into one or more standard 
microprocessor, microcontroller and/or other digital processing 
components may materially reduce VDE related hardware costs 
by employing the same hardware resources for both the 
transaction management uses contemplated by the present 
invention and for other, host electronic appliance functions. This 
means that a VDE SPU can employ (share) circuitry elements of 
a "standard" CPU. For example, if a "standard" processor can 
operate in protected mode and can execute VDE related 
instructions as a protected activity, then such an embodiment 
may provide sufficient hardware security for a variety of 
applications and the expense of a special purpose processor might 
be avoided. Under one preferred embodiment of the present 
invention, certain memory (e.g., RAM, ROM, NVRAM) is 
maintained during VDE related instruction processing in a 
protected mode (for example, as supported by protected mode 
microprocessors). This memory is located in the same package as 
the processing logic (e.g. processor). Desirably, the packaging 
and memory of such a processor would be designed using security 
techniques that enhance its resistance to tampering. 
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The degree of overall security of the VDE system is 
primarily dependent on the degree of tamper resistance and 
concealment of VDE control process execution and related data 
storage activities. Employing special purpose semiconductor 
packaging techniques can significantly contribute to the degree of 
security. Concealment and tamper-resistance in semiconductor 
memory (e.g., RAM, ROM, NVRAM) can be achieved, in part, by 
employing such memory within an SPU package, by encrypting 
data before it is sent to external memory (such as an external 
RAM package) and decrypting encrypted data within the 
CPU/RAM package before it is executed. This process is used for 
important VDE related data when such data is stored on 
unprotected media, for example, standard host storage, such as 
random access memory, mass storage, etc. In that event, a VDE 
SPU would encrypt data that results from a secure VDE 
execution before such data was stored in external memory. 

Summary of Some Important Features Provided by VDE in 
Accordance With the Present Invention 

VDE employs a variety of capabilities that serve as a 

foundation for a general purpose, sufficiently secure distributed 

electronic commerce solution. VDE enables an electronic 

commerce marketplace that supports divergent, competitive 

business partnerships, agreements, and evolving overall business 

models. For example, VDE includes features that: 
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"sufficiently" impede unauthorized and/or 
uncompensated use of electronic information and/or 
appliances through the use of secure communication, 
storage, and transaction management technologies. 
VDE supports a model wide, distributed security 
implementation which creates a single secure 
"virtual" transaction processing and information 
storage environment. VDE enables distributed VDE 
installations to securely store and communicate 
information and remotely control the execution 
processes and the character of use of electronic 
information at other VDE installations and in a wide 
variety of ways; 

support low-cost, efficient, and effective security 
architectures for transaction control, auditing, 
reporting, and related communications and 
information storage. VDE may employ tagging 
related security techniques, the time-ageing of 
encryption keys, the compartmentalization of both 
stored control information (including differentially 
tagging such stored information to ensure against 
substitution and tampering) and distributed content 
(to, for many content applications, employ one or 
more content encryption keys that are unique to the 
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specific VDE installation and/or user), private key 
techniques such as triple DES to encrypt content, 
public key techniques such as RSA to protect 
communications and to provide the benefits of digital 
signature and authentication to securely bind 
together the nodes of a VDE arrangement, secure 
processing of important transaction management 
executable code, and a combining of a small amount 
of highly secure, hardware protected storage space 
with a much larger "exposed" mass media storage 
space storing secured (normally encrypted and 
tagged) control and audit information. VDE employs 
special purpose hardware distributed throughout 
some or all locations of a VDE implementation: a) 
said hardware controlling important elements of: 
content preparation (such as causing such content to 
be placed in a VDE content container and 
associating content control information with said 
content), content and/or electronic appliance usage 
auditing, content usage analysis, as well as content 
usage control; and b) said hardware having been 
designed to securely handle processing load module 
control activities, wherein said control processing 
activities may involve a sequence of required control 
factors; 
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support dynamic user selection of information 
subsets of a VDE electronic information product 
(VDE controlled content). This contrasts with the 
constraints of having to use a few high level 
individual, pre-defined content provider information 
increments such as being required to select a whole 
information product or product section in order to 
acquire or otherwise use a portion of such product or 
section. VDE supports metering and usage control 
over a variety of increments (including "atomic" 
increments, and combinations of different increment 
types) that are selected ad hoc by a user and 
represent a collection of pre-identified one or more 
increments (such as one or more blocks of a 
preidentified nature, e.g., bytes, images, logically 
related blocks) that form a generally arbitrary, but 
logical to a user, content "deliverable." VDE control 
information (including budgeting, pricing and 
metering) can be configured so that it can specifically 
apply, as appropriate, to ad hoc selection of different, 
unanticipated variable user selected aggregations of 
information increments and pricing levels can be, at 
least in part, based on quantities and/or nature of 
mixed increment selections (for example, a certain 
quantity of certain text could mean associated 
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images might be discounted by 15%; a greater 
quantity of text in the "mixed" increment selection 
might mean the images are discounted 20%). Such 
user selected aggregated information increments can 
reflect the actual requirements of a user for 
information and is more flexible than being limited 
to a single, or a few, high level, (e.g. product, 
document, database record) predetermined 
increments. Such high level increments may include 
quantities of information not desired by the user and 
as a result be more costly than the subset of 
information needed by the user if such a subset was 
available. In sum, the present invention allows 
information contained in electronic information 
products to be supplied according to user 
specification. Tailoring to user specification allows 
the present invention to provide the greatest value to 
users, which in turn will generate the greatest 
amount of electronic commerce activity. The user, 
for example, would be able to define an aggregation 
of content derived from various portions of an 
available content product, but which, as a 
deliverable for use by the user, is an entirely unique 
aggregated increment. The user may, for example, 
select certain numbers of bytes of information from 
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various portions of an information product, such as a 
reference work, and copy them to disc in 
unencrypted form and be billed based on total 
number of bytes plus a surcharge on the number of 
"articles" that provided the bytes. A content 
provider might reasonably charge less for such a 
user defined information increment since the user 
does not require all of the content from all of the 
articles that contained desired information. This 
process of defining a user desired information 
increment may involve artificial intelligence 
database search tools that contribute to the location 
of the most relevant portions of information from an 
information product and cause the automatic display 
to the user of information describing search criteria 
hits for user selection or the automatic extraction 
and delivery of such portions to the user. VDE 
further supports a wide variety of predefined 
increment types including: 
! bytes, 
! images, 

! content over time for audio or video, or any 
other increment that can be identified by content 
provider data mapping efforts, such as: 
! sentences, 
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paragraphs, 
articles, 

database records, and 
byte offsets representing increments of 
5 logically related information. 

VDE supports as many simultaneous predefined increment types 
as may be practical for a given type of content and business 
model. 

10 ! securely store at a user's site potentially highly 

detailed information reflective of a user's usage of a 
variety of different content segment types and 
employing both inexpensive "exposed* host mass 
storage for maintaining detailed information in the 

15 form of encrypted data and maintaining summary 

information for security testing in highly secure 
special purpose VDE installation nonvolatile 
memory (if available). 

20 ! support trusted chain of handling capabilities for 

pathways of distributed electronic information 
and/or for content usage related information. Such 
chains may extend, for example, from a content 
creator, to a distributor, a redistributor, a client 

25 user, and then may provide a pathway for securely 
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reporting the same and/or differing usage 
information to one or more auditors, such as to one 
or more independent clearinghouses and then back 
to the content providers, including content creators. 
The same and/or different pathways employed for 
certain content handling, and related content control 
information and reporting information handling, 
may also be employed as one or more pathways for 
electronic payment handling (payment is 
characterized in the present invention as 
administrative content) for electronic content and/or 
appliance usage. These pathways are used for 
conveyance of all or portions of content, and/or 
content related control information. Content 
creators and other providers can specify the 
pathways that, partially or fully, must be used to 
disseminate commercially distributed property 
content, content control information, payment 
administrative content, and/or associated usage 
reporting information. Control information specified 
by content providers may also specify which specific 
parties must or may (including, for example, a group 
of eligible parties from which a selection may be 
made) handle conveyed information. It may also 
specify what transmission means (for example 
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telecommunication carriers or media types) and 
transmission hubs must or may be used. 

support flexible auditing mechanisms, such as 
employing "bitmap meters," that achieve a high 
degree of efficiency of operation and throughput and 
allow, in a practical manner, the retention and ready 
recall of information related to previous usage 
activities and related patterns. This flexibility is 
adaptable to a wide variety of billing and security 
control strategies such as: 
P upgrade pricing (e.g. suite purchases), 
P pricing discounts (including quantity 
discounts), 

P billing related time duration variables such as 
discounting new purchases based on the 
timing of past purchases, and 

P security budgets based on quantity of 

different, logically related units of electronic 
information used over an interval of time. 

Use of bitmap meters (including "regular" and "wide" 
bitmap meters) to record usage and/or purchase of 
information, in conjunction with other elements of 
the preferred embodiment of the present invention, 
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uniquely supports efficient maintenance of usage 
history for: (a) rental, (b) flat fee licensing or 
purchase, (c) licensing or purchase discounts based 
upon historical usage variables, and (d) reporting to 
users in a manner enabling users to determine 
whether a certain item was acquired, or acquired 
within a certain time period (without requiring the 
use of conventional database mechanisms, which are 
highly inefficient for these applications). Bitmap 
meter methods record activities associated with 
electronic appliances, properties, objects, or portions 
thereof, and/or administrative activities that are 
independent of specific properties, objects, etc., 
performed by a user and/or electronic appliance such 
that a content and/or appliance provider and/or 
controller of an administrative activity can 
determine whether a certain activity has occurred at 
some point, or during a certain period, in the past 
(for example, certain use of a commercial electronic 
content product and/or appliance). Such 
determinations can then be used as part of pricing 
and/or control strategies of a content and/or 
appliance provider, and/or controller of an 
administrative activity. For example, the content 
provider may choose to charge only once for access to 
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a portion of a property, regardless of the number of 
times that portion of the property is accessed by a 
user. 

support "launchable" content, that is content that 
can be provided by a content provider to an end-user, 
who can then copy or pass along the content to other 
end-user parties without requiring the direct 
participation of a content provider to register and/or 
otherwise initialize the content for use. This content 
goes "out of (the traditional distribution) channel" in 
the form of a "traveling object." Traveling objects are 
containers that securely carry at least some 
permissions information and/or methods that are 
required for their use (such methods need not be 
carried by traveling objects if the required methods 
will be available at, or directly available to, a 
destination VDE installation). Certain travelling 
objects may be used at some or all VDE installations 
of a given VDE arrangement since they can make 
available the content control information necessary 
for content use without requiring the involvement of 
a commercial VDE value chain participant or data 
security administrator (e.g. a control officer or 
network administrator). As long as traveling object 
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control information requirements are available at 
the user VDE installation secure subsystem (such as 
the presence of a sufficient quantity of financial 
credit from an authorized credit provider), at least 
some travelling object content may be used by a 
receiving party without the need to establish a 
connection with a remote VDE authority (until, for 
example, budgets are exhausted or a time content 
usage reporting interval has occurred). Traveling 
objects can travel "out-of-channel* allowing, for 
example, a user to give a copy of a traveling object 
whose content is a software program, a movie or a 
game, to a neighbor, the neighbor being able to use 
the traveling object if appropriate credit (e.g. an 
electronic clearinghouse account from a 
clearinghouse such as VISA or AT&T) is available. 
Similarly, electronic information that is generally 
available on an Internet, or a similar network, 
repository might be provided in the form of a 
traveling object that can be downloaded and 
subsequently copied by the initial downloader and 
then passed along to other parties who may pass the 
object on to additional parties. 
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provide very flexible and extensible user 
identification according to individuals, installations, 
by groups such as classes, and by function and 
hierarchical identification employing a hierarchy of 
levels of client identification (for example, client 
organization ID, client department ID, client 
network ID, client project ID, and client employee 
ID, or any appropriate subset of the above). 

provide a general purpose, secure, component based 
content control and distribution system that 
functions as a foundation transaction operating 
system environment that employs executable code 
pieces crafted for transaction control and auditing. 
These code pieces can be reused to optimize 
efficiency in creation and operation of trusted, 
distributed transaction management arrangements. 
VDE supports providing such executable code in the 
form of "atomic" load modules and associated data. 
Many such load modules are inherently configurable, 
aggregatable, portable, and extensible and 
singularly, or in combination (along with associated 
data), run as control methods under the VDE 
transaction operating environment. VDE can satisfy 
the requirements of widely differing electronic 
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commerce and data security applications by, in part, 
employing this general purpose transaction 
management foundation to securely process VDE 
transaction related control methods. Control 
5 methods are created primarily through the use of 

one or more of said executable, reusable load module 
code pieces (normally in the form of executable object 
components) and associated data. The component 
nature of control methods allows the present 

10 invention to efficiently operate as a highly 

configurable content control system. Under the 
present invention, content control models can be 
iteratively and asynchronously shaped, and 
otherwise updated to accommodate the needs of VDE 

15 participants to the extent that such shaping and 

otherwise updating conforms to constraints applied 
by a VDE application, if any (e.g., whether new 
component assemblies are accepted and, if so, what 
certification requirements exist for such component 

20 assemblies or whether any or certain participants 

may shape any or certain control information by 
selection amongst optional control information 
(permissions record) control methods. This iterative 
(or concurrent) multiple participant process occurs 

25 as a result of the submission and use of secure, 
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control information components (executable code 
such as load modules and/or methods, and/or 
associated data). These components may be 
contributed independently by secure communication 
between each control information influencing VDE 
participant's VDE installation and may require 
certification for use with a given application, where 
such certification was provided by a certification 
service manager for the VDE arrangement who 
ensures secure interoperability and/or reliability 
(e.g., bug control resulting from interaction) between 
appliances and submitted control methods. The 
transaction management control functions of a VDE 
electronic appliance transaction operating 
environment interact with non-secure transaction 
management operating system functions to properly 
direct transaction processes and data related to 
electronic information security, usage control, 
auditing, and usage reporting. VDE provides the 
capability to manages resources related to secure 
VDE content and/or appliance control information 
execution and data storage. 

facilitate creation of application and/or system 
functionality under VDE and to facilitate integration 
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into electronic appliance environments of load 
modules and methods created under the present 
invention. To achieve this, VDE employs an 
Application Programmer's Interface (API) and/or a 
transaction operating system (such as a ROS) 
programming language with incorporated functions, 
both of which support the use of capabilities and can 
be used to efficiently and tightly integrate VDE 
functionality into commercial and user applications. 

support user interaction through: (a) "Pop-Up" 
applications which, for example, provide messages to 
users and enable users to take specific actions such 
as approving a transaction, (b) stand-alone VDE 
applications that provide administrative 
environments for user activities such as: end-user 
preference specifications for limiting the price per 
transaction, unit of time, and/or session, for 
accessing history information concerning previous 
transactions, for reviewing financial information 
such as budgets, expenditures (e.g. detailed and/or 
summary) and usage analysis information, and (c) 
VDE aware applications which, as a result of the use 
of a VDE API and/of a transaction management (for 



-73- 



PCT/US96/02303 



example, ROS based) programming language 
embeds VDE "awareness" into commercial or 
internal software (application programs, games, etc.) 
so that VDE user control information and services 
are seamlessly integrated into such software and can 
be directly accessed by a user since the underlying 
functionality has been integrated into the 
commercial software's native design. For example, 
in a VDE aware word processor application, a user 
may be able to "print" a document into a VDE 
content container object, applying specific control 
information by selecting from amongst a series of 
different menu templates for different purposes (for 
example, a confidential memo template for internal 
organization purposes may restrict the ability to 
"keep" that is to make an electronic copy of the 
memo). 

employ "templates" to ease the process of configuring 
capabilities of the present invention as they relate to 
specific industries or businesses. Templates are 
applications or application add-ons under the 
present invention. Templates support the efficient 
specification and/or manipulation of criteria related 
to specific content types, distribution approaches, 
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pricing mechanisms, user interactions with content 
and/or administrative activities, and/or the like. 
Given the veiy large range of capabilities and 
configurations supported by the present invention, 
reducing the range of configuration opportunities to 
a manageable subset particularly appropriate for a 
given business model allows the full configurable 
power of the present invention to be easily employed 
by "typical" users who would be otherwise burdened 
with complex programming and/or configuration 
design responsibilities template applications can also 
help ensure that VDE related processes are secure 
and optimally bug free by reducing the risks 
associated with the contribution of independently 
developed load modules, including unpredictable 
aspects of code interaction between independent 
modules and applications, as well as security risks 
associated with possible presence of viruses in such 
modules. VDE, through the use of templates, 
reduces typical user configuration responsibilities to 
an appropriately focused set of activities including 
selection of method types (e.g. functionality) through 
menu choices such as multiple choice, icon selection, 
and/or prompting for method parameter data (such 
as identification information, prices, budget limits, 
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dates, periods of time, access rights to specific 
content, etc.) that supply appropriate and/or 
necessary data for control information purposes. By 
limiting the typical (non-programming) user to a 
limited subset of configuration activities whose 
general configuration environment (template) has 
been preset to reflect general requirements 
corresponding to that user, or a content or other 
business model can very substantially limit 
difficulties associated with content containerization 
(including placing initial control information on 
content), distribution, client administration, 
electronic agreement implementation, end-user 
interaction, and clearinghouse activities, including 
associated interoperability problems (such as 
conflicts resulting from security, operating system, 
and/or certification incompatibilities). Use of 
appropriate VDE templates can assure users that 
their activities related to content VDE 
containerization, contribution of other control 
information, communications, encryption techniques 
and/or keys, etc. will be in compliance with 
specifications for their distributed VDE 
arrangement. VDE templates constitute preset 
configurations that can normally be reconfigurable 
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to allow for new and/or modified templates that 
reflect adaptation into new industries as they evolve 
or to reflect the evolution or other change of an 
existing industry. For example, the template 
concept may be used to provide individual, overall 
frameworks for organizations and individuals that 
create, modify, market, distribute, consume, and/or 
otherwise use movies, audio recordings and live 
performances, magazines, telephony based retail 
sales, catalogs, computer software, information data 
bases, multimedia, commercial communications, 
advertisements, market surveys, infomercials, 
games, CAD/CAM services for numerically controlled 
machines, and the like. As the context surrounding 
these templates changes or evolves, template 
applications provided under the present invention 
may be modified to meet these changes for broad 
use, or for more focused activities. A given VDE 
participant may have a plurality of templates 
available for different tasks. A party that places 
content in its initial VDE container may have a 
variety of different, configurable templates 
depending on the type of content and/or business 
model related to the content. An end-user may have 
different configurable templates that can be applied 
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to different document types (e-mail, secure internal 
documents, database records, etc.) and/or subsets of 
users (applying differing general sets of control 
information to different bodies of users, for example, 
selecting a list of users who may, under certain 
preset criteria, use a certain document). Of course, 
templates may, under certain circumstances have 
fixed control information and not provide for user 
selections or parameter data entry. 

support plural, different control models regulating 
the use and/or auditing of either the same specific 
copy of electronic information content and/or 
differently regulating different copies (occurrences) 
of the same electronic information content. Differing 
models for billing, auditing, and security can be 
applied to the same piece of electronic information 
content and such differing sets of control information 
may employ, for control purposes, the same, or 
differing, granularities of electronic information 
control increments. This includes supporting 
variable control information for budgeting and 
auditing usage as applied to a variety of predefined 
increments of electronic information, including 
employing a variety of different budgets and/or 
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metering increments for a given electronic 
information deliverable for: billing units of measure, 
credit limit, security budget limit and security 
content metering increments, and/or market 
surveying and customer profiling content metering 
increments. For example, a CD-ROM disk with a 
database of scientific articles might be in part billed 
according to a formula based on the number of bytes 
decrypted, number of articles containing said bytes 
decrypted, while a security budget might limit the 
use of said database to no more than 5% of the 
database per month for users on the wide area 
network it is installed on. 

provide mechanisms to persistently maintain trusted 
content usage and reporting control information 
through both a sufficiently secure chain of handling 
of content and content control information and 
through various forms of usage of such content 
wherein said persistence of control may survive such 
use. Persistence of control includes the ability to 
extract information from a VDE container object by 
creating a new container whose contents are at least 
in part secured and that contains both the extracted 
content and at least a portion of the control 
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information which control information of the original 
container and/or are at least in part produced by 
control information of the original container for this 
purpose and/or VDE installation control information 
stipulates should persist and/or control usage of 
content in the newly formed container. Such control 
information can continue to manage usage of 
container content if the container is "embedded* into 
another VDE managed object, such as an object 
which contains plural embedded VDE containers, 
each of which contains content derived (extracted) 
from a different source. 

enables users, other value chain participants (such 
as clearinghouses and government agencies), and/or 
user organizations, to specify preferences or 
requirements related to their use of electronic 
content and/or appliances. Content users, such as 
end-user customers using commercially distributed 
content (games, information resources, software 
programs, etc.), can define, if allowed by senior 
control information, budgets, and/or other control 
information, to manage their own internal use of 
content. Uses include, for example, a user setting a 
limit on the price for electronic documents that the 
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user is wilting to pay without prior express user 
authorization, and the user establishing the 
character of metering information he or she is 
willing to allow to be collected (privacy protection). 
This includes providing the means for content users 
to protect the privacy of information derived from 
their use of a VDE installation and content and/or 
appliance usage auditing. In particular, VDE can 
prevent information related to a participant's usage 
of electronic content from being provided to other 
parties without the participant's tacit or explicit 
agreement. 

provide mechanisms that allow control information 
to "evolve" and be modified according, at least in 
part, to independently, securely delivered further 
control information. Said control information may 
include executable code (e.g., load modules) that has 
been certified as acceptable (e.g., reliable and 
trusted) for use with a specific VDE application, 
class of applications, and/or a VDE distributed 
arrangement. This modification (evolution) of 
control information can occur upon content control 
information (load modules and any associated data) 
circulating to one or more VDE participants in a 
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pathway of handling of control information, or it may 
occur upon control information being received from a 
VDE participant. Handlers in a pathway of 
handling of content control information, to the extent 
each is authorized, can establish, modify, and/or 
contribute to, permission, auditing, payment, and 
reporting control information related to controlling, 
analyzing, paying for, and/or reporting usage of, 
electronic content and/or appliances (for example, as 
related to usage of VDE controlled property content). 
Independently delivered (from an independent 
source which is independent except in regards to 
certification), at least in part secure, control 
information can be employed to securely modify 
content control information when content control 
information has flowed from one party to another 
party in a sequence of VDE content control 
information handling. This modification employs, 
for example, one or more VDE component assemblies 
being securely processed in a VDE secure subsystem. 
In an alternate embodiment, control information 
may be modified by a senior party through use of 
their VDE installation secure sub-system after 
receiving submitted, at least in part secured, control 
information from a "junior* party, normally in the 
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form of a VDE administrative object. Control 
information passing along VDE pathways can 
represent a mixed control set, in that it may include: 
control information that persisted through a 
sequence of control information handlers, other 
control information that was allowed to be modified, 
and further control information representing new 
control information and/or mediating data. Such a 
control set represents an evolution of control 
information for disseminated content. In this 
example the overall content control set for a VDE 
content container is "evolving" as it securely (e.g. 
communicated in encrypted form and using 
authentication and digital signaturing techniques) 
passes, at least in part, to a new participant's VDE 
installation where the proposed control information 
is securely received and handled. The received 
control information may be integrated (through use 
of the receiving parties 1 VDE installation secure 
sub-system) with in-place control information 
through a negotiation process involving both control 
information sets. For example, the modification, 
within the secure sub-system of a content provider's 
VDE installation, of content control information for a 
certain VDE content container may have occurred as 



-83- 



a result of the incorporation of required control 
information provided by a financial credit provider. 
Said credit provider may have employed their VDE 
installation to prepare and securely communicate 
(directly or indirectly) said required control 
information to said content provider. Incorporating 
said required control information enables a content 
provider to allow the credit provider's credit to be 
employed by a content end-user to compensate for 
the end-user's use of VDE controlled content and/or 
appliances, so long as said end-user has a credit 
account with said financial credit provider and said 
credit account has sufficient credit available. 
Similarly, control information requiring the payment 
of taxes and/or the provision of revenue information 
resulting from electronic commerce activities may be 
securely received by a content provider. This control 
information may be received, for example, from a 
government agency. Content providers might be 
required by law to incorporate such control 
information into the control information for 
commercially distributed content and/or services 
related to appliance usage. Proposed control 
information is used to an extent allowed by senior 
control information and as determined by any 
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negotiation trade-offs that satisfy priorities 
stipulated by each set (the received set and the 
proposed set). VDE also accommodates different 
control schemes specifically applying to different 
participants (e.g., individual participants and/or 
participant classes (types)) in a network of VDE 
content handling participants. 

support multiple simultaneous control models for the 
same content property and/or property portion. 
This allows, for example, for concurrent business 
activities which are dependent on electronic 
commercial product content distribution, such as 
acquiring detailed market survey information and/or 
supporting advertising, both of which can increase 
revenue and result in lower content costs to users 
and greater value to content providers. Such control 
information and/or overall control models may be 
applied, as determined or allowed by control 
information, in differing manners to different 
participants in a pathway of content, reporting, 
payment, and/or related control information 
handling. VDE supports applying different content 
control information to the same and/or different 
content and/or appliance usage related activities, 
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and/or to different parties in a content and/or 
appliance visage model, such that different parties 
(or classes of VDE users, for example) are subject to 
differing control information managing their use of 
electronic information content. For example, 
differing control models based on the category of a 
user as a distributor of a VDE controlled content 
object or an end-user of such content may result in 
different budgets being applied. Alternatively, for 
example, a one distributor may have the right to 
distribute a different array of properties than 
another distributor (from a common content 
collection provided, for example, on optical disc). An 
individual, and/or a class or other grouping of 
end-users, may have different costs (for example, a 
student, senior citizen, and/or poor citizen user of 
content who may be provided with the same or 
differing discounts) than a "typical" content user. 

support provider revenue information resulting from 
customer use of content and/or appliances, and/or 
provider and/or end-user payment of taxes, through 
the transfer of credit and/or electronic currency from 
said end-user and/or provider to a government 
agency, might occur "automatically" as & result of 
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such received control information causing the 
generation of a VDE content container whose 
content includes customer content usage information 
reflecting secure, trusted revenue summary 
information and/or detailed user transaction listings 
(level of detail might depend, for example on type or 
size of transaction — information regarding a bank 
interest payment to a customer or a transfer of a 
large (e.g. over $10,000) might be, by law, 
automatically reported to the government). Such 
summary and/or detailed information related to 
taxable events and/or currency, and/or creditor 
currency transfer, may be passed along a pathway of 
reporting and/or payment to the government in a 
VDE container. Such a container may also be used 
for other VDE related content usage reporting 
information. 

support the flowing of content control information 
through different "branches" of content control 
information handling so as to accommodate, under 
the present invention's preferred embodiment, 
diverse controlled distributions of VDE controlled 
content. This allows different parties to employ the 
same initial electronic content with differing 
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(perhaps competitive) control strategies. In this 
instance, a party who first placed control information 
on content can make certain control assumptions 
and these assumptions would evolve into more 
specific and/or extensive control assumptions. These 
control assumptions can evolve during the branching 
sequence upon content model participants 
submitting control information changes, for example, 
for use in "negotiating" with a in place" content 
control information. This can result in new or 
modified content control information and/or it might 
involve the selection of certain one or more already 
"in-place" content usage control methods over 
in-place alternative methods, as well as the 
submission of relevant control information 
parameter data. This form of evolution of different 
control information sets applied to different copies of 
the same electronic property content and/of 
appliance results from VDE control information 
flowing "down" through different branches in an 
overall pathway of handling and control and being 
modified differently as it diverges down these 
different pathway branches. This ability of the 
present invention to support multiple pathway 
branches for the flow of both VDE content control 
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information and VDE managed content enables an 
electronic commerce marketplace which supports 
diverging, competitive business partnerships, 
agreements, and evolving overall business models 
which can employ the same content properties 
combined, for example, in differing collections of 
content representing differing at least in part 
competitive products. 

enable a user to securely extract, through the use of 
the secure subsystem at the user's VDE installation, 
at least a portion of the content included within a 
VDE content container to produce a new, secure 
object (content container), such that the extracted 
information is maintained in a continually secure 
manner through the extraction process. Formation 
of the new VDE container containing such extracted 
content shall result in control information consistent 
with, or specified by, the source VDE content 
container, and/or local VDE installation secure 
subsystem as appropriate, content control 
information. Relevant control information, such as 
security and administrative information, derived, at 
least in part, from the parent (source) object's control 
information, will normally be automatically inserted 
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into a new VDE content container object containing 
extracted VDE content. This process typically occurs 
tinder the control framework of a parent object 
and/or VDE installation control information 
5 executing at the user's VDE installation secure 

subsystem (with, for example, at least a portion of 
this inserted control information being stored 
securely in encrypted form in one or more 
permissions records). In an alternative embodiment, 

10 the derived content control information applied to 

extracted content may be in part or whole derived 
from, or employ, content control information stored 
remotely from the VDE installation that performed 
the secure extraction such as at a remote server 

15 location. As with the content control information for 

most VDE managed content, features of the present 
invention allows the content's control information to: 



(a) "evolve," for example, the extractor of content 
20 may add new control methods and/or modify 

control parameter data, such as VDE 
application compliant methods, to the extent 
allowed by the content's in-place control 
information. Such new control information 
25 might specify, for example, who may use at 
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least a portion of the new object, and/or how 
said at least a portion of said extracted content 
may be used (e.g. when at least a portion may 
be used, or what portion or quantity of 
portions may be used); 

allow a user to combine additional content 
with at least a portion of said extracted 
content, such as material authored by the 
extractor and/or content (for example, images, 
video, audio, and/or text) extracted from one or 
more other VDE container objects for 
placement directly into the new container; 

allow a user to securely edit at least a portion 
of said content while maintaining said content 
in a secure form within said VDE content 
container; 

append extracted content to a pre-existing 
VDE content container object and attach 
associated control information — in these 
cases, user added information may be secured, 
e.g., encrypted, in part or as a whole, and may 
be subject to usage and/or auditing control 
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information that differs from the those applied 
to previously in place object content; 

(e) preserve VDE control over one or more 

portions of extracted content after various 
forms of usage of said portions, for example, 
maintain content in securely stored form while 
allowing "temporary" on screen display of 
content or allowing a software program to be 
maintained in secure form but transiently 
decrypt any encrypted executing portion of 
said program (all, or only a portion, of said 
program may be encrypted to secure the 
program). 

Generally, the extraction features of the present 
invention allow users to aggregate and/or 
disseminate and/or otherwise use protected 
electronic content information extracted from 
content container sources while maintaining secure 
VDE capabilities thus preserving the rights of 
providers in said content information after various 
content usage processes. 
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support the aggregation of portions of VDE 
controlled content, such portions being subject to 
differing VDE content container control information, 
wherein various of said portions may have been 
provided by independent, different content providers 
from one or more different locations remote to the 
user performing the aggregation. Such aggregation, 
in the preferred embodiment of the present 
invention, may involve preserving at least a portion 
of the control information (e.g., executable code such 
as load modules) for each of various of said portions 
by, for example, embedding some or all of such 
portions individually as VDE content container 
objects within an overall VDE content container 
and/or embedding some or all of such portions 
directly into a VDE content container. In the latter 
case, content control information of said content 
container may apply differing control information 
sets to various of such portions based upon said 
portions original control information requirements 
before aggregation. Each of such embedded VDE 
content containers may have its own control 
information in the form of one or more permissions 
records. Alternatively, a negotiation between control 
information associated with various aggregated 
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portions of electronic content, may produce a control 
information set that would govern some or all of the 
aggregated content portions. The VDE content 
control information produced by the negotiation may 
be uniform (such as having the same load modules 
and/or component assemblies, and/or it may apply 
differing such content control information to two or 
more portions that constitute an aggregation of VDE 
controlled content such as differing metering, 
budgeting, billing and/or payment models. For 
example, content usage payment may be 
automatically made, either through a clearinghouse, 
or directly, to different content providers for different 
potions. 

enable flexible metering of, or other collection of 
information related to, use of electronic content 
and/or electronic appliances. A feature of the 
present invention enables such flexibility of metering 
control mechanisms to accommodate a simultaneous, 
broad array of: (a) different parameters related to 
electronic information content use; (b) different 
increment units (bytes, documents, properties, 
paragraphs, images, etc.) and/or other organizations 
of such electronic content; and/or (c) different 
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categories of user and/or VDE installation types, 
such as client organizations, departments, projects, 
networks, and/or individual users, etc. This feature 
of the present invention can be employed for content 
security, usage analysis (for example, market 
surveying), and/or compensation based upon the use 
and/or exposure to VDE managed content. Such 
metering is a flexible basis for ensuring payment for 
content royalties, licensing, purchasing, and/or 
advertising. A feature of the present invention 
provides for payment means supporting flexible 
electronic currency and credit mechanisms, 
including the ability to securely maintain audit trails 
reflecting information related to use of such currency 
or credit. VDE supports multiple differing 
hierarchies of client organization control information 
wherein an organization client administrator 
distributes control information specifying the usage 
rights of departments, users, and/or projects. 
Likewise, a department (division) network manager 
can function as a distributor (budgets, access rights, 
etc.) for department networks, projects, and/or users, 
etc. 
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provide scalable, integratable, standardized control 
means for use on electronic appliances ranging from 
inexpensive consumer (for example, television 
set-top appliances) and professional devices (and 
hand-held PDAs) to servers, mainframes, 
communication switches, etc. The scalable 
transaction management/auditing technology of the 
present invention will result in more efficient and 
reliable interoperability amongst devices functioning 
in electronic commerce and/or data security 
environments. As standardized physical containers 
have become essential to the shipping of physical 
goods around the world, allowing these physical 
containers to universally "fit" unloading equipment, 
efficiently use truck and train space, and 
accommodate known arrays of objects (for example, 
boxes) in an efficient manner, so VDE electronic 
content containers may, as provided by the present 
invention, be able to efficiently move electronic 
information content (such as commercially published 
properties, electronic currency and credit, and 
content audit information), and associated content 
control information, around the world. 
Interoperability is fundamental to efficient electronic 
commerce. The design of the VDE foundation, VDE 
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load modules, and VDE containers, are important 
features that enable the VDE node operating 
environment to be compatible with a very broad 
range of electronic appliances. The ability, for 
example, for control methods based on load modules 
to execute in very "small 7 ' and inexpensive secure 
sub-system environments, such as environments 
with very little read/write memory, while also being 
able to execute in large memory sub-systems that 
may be used in more expensive electronic appliances, 
supports consistency across many machines. This 
consistent VDE operating environment, including its 
control structures and container architecture, 
enables the use of standardized VDE content 
containers across a broad range of device types and 
host operating environments. Since VDE 
capabilities can be seamlessly integrated as 
extensions, additions, and/or modifications to 
fundamental capabilities of electronic appliances and 
host operating systems, VDE containers, content 
control information, and the VDE foundation will be 
able to work with many device types and these 
device types will be able to consistently and 
efficiently interpret and enforce VDE control 
information. Through this integration users can also 
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benefit from a transparent interaction with many of 
the capabilities of VDE. VDE integration with 
software operating on a host electronic appliance 
supports a variety of capabilities that would be 
unavailable or less secure without such integration. 
Through integration with one or more device 
applications and/or device operating environments, 
many capabilities of the present invention can be 
presented as inherent capabilities of a given 
electronic appliance, operating system, or appliance 
application. For example, features of the present 
invention include: (a) VDE system software to in 
part extend and/or modify host operating systems 
such that they possesses VDE capabilities, such as 
enabling secure transaction processing and 
electronic information storage; (b) one or more 
application programs that in part represent tools 
associated with VDE operation; and/or (c) code to be 
integrated into application programs, wherein such 
code incorporates references into VDE system 
software to integrate VDE capabilities and makes 
such applications VDE aware (for example, word 
processors, database retrieval applications, 
spreadsheets, multimedia presentation authoring 
tools, film editing software, music editing software 
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such as MIDI applications and the like, robotics 
control systems such as those associated with 
CAD/CAM environments and NCM software and the 
like, electronic mail systems, teleconferencing 
software, and other data authoring, creating, 
handling, and/or usage applications including 
combinations of the above). These one or more 
features (which may also be implemented in 
firmware or hardware) may be employed in 
conjunction with a VDE node secure hardware 
processing capability, such as a microcontrollers), 
microprocessors), other CPU(s) or other digital 
processing logic. 

employ audit reconciliation and usage pattern 
evaluation processes that assess, through certain, 
normally network based, transaction processing 
reconciliation and threshold checking activities, 
whether certain violations of security of a VDE 
arrangement have occurred. These processes are 
performed remote to VDE controlled content 
end-user VDE locations by assessing, for example, 
purchases, and/or requests, for electronic properties 
by a given VDE installation. Applications for such 
reconciliation activities include assessing whether 
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the quantity of remotely delivered VDE controlled 
content corresponds to the amount of financial credit 
and/or electronic currency employed for the use of 
such content. A trusted organization can acquire 
information from content providers concerning the 
cost for content provided to a given VDE installation 
and/or user and compare this cost for content with 
the credit and/or electronic currency disbursements 
for that installation and/or user. Inconsistencies in 
the amount of content delivered versus the amount 
of disbursement can prove, and/or indicate, 
depending on the circumstances, whether the local 
VDE installation has been, at least to some degree, 
compromised (for example, certain important system 
security functions, such as breaking encryption for at 
least some portion of the secure subsystem and/or 
VDE controlled content by uncovering one or more 
keys). Detennining whether irregular patterns (e.g. 
unusually high demand) of content usage, or 
requests for delivery of certain kinds of VDE 
controlled information during a certain time period 
by one or more VDE installations and/or users 
(including, for example, groups of related users 
whose aggregate pattern of usage is suspicious) may 
also be useful in determining whether security at 
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such one or more installations, and/or by such one or 
more users, has been compromised, particularly 
when used in combination with an assessment of 
electronic credit and/or currency provided to one or 
more VDE users and/or installations, by some or all 
of their credit and/or currency suppliers, compared 
with the disbursements made by such users and/or 
installations. 

support security techniques that materially increase 
the time required to "break" a system's integrity. 
This includes using a collection of techniques that 
minimizes the damage resulting from comprising 
some aspect of the security features of the present 
inventions. 

provide a family of authoring, administrative, 
reporting, payment, and billing tool user applications 
that comprise components of the present invention's 
trusted/secure, universe wide, distributed 
transaction control and administration system. 
These components support VDE related: object 
creation (including placing control information on 
content), secure object distribution and management 
(including distribution control information, financial 
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related, and other usage analysis), client internal 
VDE activities administration and control, security 
management, user interfaces, payment 
disbursement, and clearinghouse related functions. 
These components are designed to support highly 
secure, uniform, consistent, and standardized: 
electronic commerce and/or data security pathway(s) 
of handling, reporting, and/or payment; content 
control and administration; and human factors (e.g. 
user interfaces). 

support the operation of a plurality of 
clearinghouses, including, for example, both 
financial and user clearinghouse activities, such as 
those performed by a client administrator in a large 
organization to assist in the organization's use of a 
VDE arrangement, including usage information 
analysis, and control of VDE activities by individuals 
and groups of employees such as specifying budgets 
and the character of usage rights available under 
VDE for certain groups of and/or individual, client 
personnel, subject to control information series to 
control information submitted by the client 
administrator. At a clearinghouse, one or more VDE 
installations may operate together with a trusted 
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distributed database environment (which may 
include concurrent database processing means). A 
financial clearinghouse normally receives at its 
location securely delivered content usage 
information, and user requests (such as requests for 
further credit, electronic currency, and/or higher 
credit limit). Reporting of usage information and 
user requests can be used for supporting electronic 
currency, billing, payment and credit related 
activities, and/or for user profile analysis and/or 
broader market survey analysis and marketing 
(consolidated) list generation or other information 
derived, at least in part, from said usage 
information, this information can be provided to 
content providers or other parties, through secure, 
authenticated encrypted communication to the VDE 
installation secure subsystems. Clearinghouse 
processing means would normally be connected to 
specialized I/O means, which may include high speed 
telecommunication switching means that may be 
used for secure communications between a 
clearinghouse and other VDE pathway participants. 

securely support electronic currency and credit 
usage control, storage, and communication at, and 
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between, VDE installations. VDE further supports 
automated passing of electronic currency and/or 
credit information, including payment tokens (such 
as in the form of electronic currency or credit) or 
other payment information, through a pathway of 
payment, which said pathway may or may not be the 
same as a pathway for content usage information 
reporting. Such payment may be placed into a VDE 
container created automatically by a VDE 
installation in response to control information 
stipulating the "withdrawal" of credit or electronic 
currency from an electronic credit or currency 
account based upon an amount owed resulting from 
usage of VDE controlled electronic content and/or 
appliances. Payment credit or currency may then be 
automatically communicated in protected (at least in 
part encrypted) form through telecommunication of a 
VDE container to an appropriate party such as a 
clearinghouse, provider of original property content 
or appliance, or an agent for such provider (other . 
than a clearinghouse). Payment information may be 
packaged in said VDE content container with, or 
without, related content usage information, such as 
metering information. An aspect of the present 
invention further enables certain information 
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regarding currency use to be specified as unavailable 
to certain, some, or all VDE parties ("conditionally* 
to fully anonymous currency) and/or further can 
regulate certain content information, such as 
currency and/or credit use related information 
(and/or other electronic information usage data) to be 
available only under certain strict circumstances, 
such as a court order (which may itself require 
authorization through the use of a court controlled 
VDE installation that may be required to securely 
access "conditionally" anonymous information). 
Currency and credit information, under the 
preferred embodiment of the present invention, is 
treated as administrative content; 

support fingerprinting (also known as 
watermarking) for embedding in content such that 
when content protected under the present invention 
is released in clear form from a VDE object 
(displayed, printed, communicated, extracted, and/or 
saved), information representing the identification of 
the user and/or VDE installation responsible for 
transforming the content into clear form is 
embedded into the released content. Fingerprinting 
is useful in providing an ability to identify who 
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extracted information in clear form a VDE container, 
or who made a copy of a VDE object or a portion of 
its contents. Since the identity of the user and/or 
other identifying information may be embedded in 
an obscure or generally concealed manner, in VDE 
container content and/or control information, 
potential copyright violators may be deterred from 
unauthorized extraction or copying. Fingerprinting 
normally is embedded into unencrypted electronic 
content or control information, though it can be 
embedded into encrypted content and later placed in 
unencrypted content in a secure VDE installation 
sub-system as the encrypted content carrying the 
fingerprinting information is decrypted. Electronic 
information, such as the content of a VDE container, 
may be fingerprinted as it leaves a network (such as 
Internet) location bound for a receiving party. Such 
repository information may be maintained in 
unencrypted form prior to communication and be 
encrypted as it leaves the repository. Fingerprinting 
would preferably take place as the content leaves the 
repository, but before the encryption step. 
Encrypted repository content can be decrypted, for 
example in a secure VDE sub-system, fingerprint 
information can be inserted, and then the content 
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can be re-encrypted for transmission. Embedding 
identification information of the intended recipient 
user and/or VDE installation into content as it 
leaves, for example, an Internet repository, would 
provide important information that would identify or 
assist in identifying any party that managed to 
compromise the security of a VDE installation or the 
delivered content. If a party produces an authorized 
clear form copy of VDE controlled content, including 
making unauthorized copies of an authorized clear 
form copy, fingerprint information would point back 
to that individual and/or his or her VDE installation. 
Such hidden information will act as a strong 
disincentive that should dissuade a substantial 
portion of potential content "pirates" from stealing 
other parties electronic information. Fingerprint 
information identifying a receiving party and/or VDE 
installation can be embedded into a VDE object 
before, or during, decryption, replication, or 
communication of VDE content objects to receivers. 
Fingerprinting electronic content before it is 
encrypted for transfer to a customer or other user 
provides information that can be very useful for 
identifying who received certain content which may 
have then been distributed or made available in 
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unencrypted form. This information would be useful 
in tracking who may have "broken" the security of a 
VDE installation and was illegally making certain 
electronic content available to others. 
Fingerprinting may provide additional, available 
information such as time and/or date of the release 
(for example extraction) of said content information. 
Locations for inserting fingerprints may be specified 
by VDE installation and/or content container control 
information. This information may specify that 
certain areas and/or precise locations within 
properties should be used for fingerprinting, such as 
one or more certain fields of information or 
information types. Fingerprinting information may 
be incorporated into a property by modifying in a 
normally undetectable way color frequency and/or 
the brightness of certain image pixels, by slightly 
modifying certain audio signals as to frequency, by 
modifying font character formation, etc. Fingerprint 
information, itself, should be encrypted so as to 
make it particularly difficult for tampered 
fingerprints to be interpreted as valid. Variations in 
fingerprint locations for different copies of the same 
property; "false" fingerprint information; and 
multiple copies of fingerprint information within a 
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specific property or other content which copies 
employ different fingerprinting techniques such as 
information distribution patterns, frequency and/or 
brightness manipulation, and encryption related 
techniques, are features of the present invention for 
increasing the difficulty of an unauthorized 
individual identifying fingerprint locations and 
erasing and/or modifying fingerprint information. 

provide smart object agents that can carry requests, 
data, and/or methods, including budgets, 
authorizations, credit or currency, and content. For 
example, smart objects may travel to and/or from 
remote information resource locations and fulfill 
requests for electronic information content. Smart 
objects can, for example, be transmitted to a remote 
location to perform a specified database search on 
behalf of a user or otherwise "intelligently" search 
remote one or more repositories of information for 
user desired information. After identifying desired 
information at one or more remote locations, by for 
example, performing one or more database searches, 
a smart object may return via communication to the 
user in the form of a secure "return object" 
containing retrieved information. A user may be 
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charged for the remote retrieving of information, the 
returning of information to the user's VDE 
installation, and/or the use of such information. In 
the latter case, a user may be charged only for the 
information in the return object that the user 
actually uses. Smart objects may have the means to 
request use of one or more services and/or resources. 
Services include locating other services and/or 
resources such as information resources, language or 
format translation, processing, credit (or additional 
credit) authorization, etc. Resources include 
reference databases, networks, high powered or 
specialized computing resources (the smart object 
may carry information to another computer to be 
efficiently processed and then return the information 
to the sending VDE installation), remote object 
repositories, etc. Smart objects can make efficient 
use of remote resources (e.g. centralized databases, 
super computers, etc.) while providing a secure 
means for charging users based on information 
and/or resources actually used. 

support both "translations" of VDE electronic 
agreements elements into modem language printed 
agreement elements (such as English language 
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agreements) and translations of electronic rights 
protection/transaction management modern 
language agreement elements to electronic VDE 
agreement elements. This feature requires 
maintaining a library of textual language that 
corresponds to VDE load modules and/or methods 
and/or component assemblies. As VDE methods are 
proposed and/or employed for VDE agreements, a 
listing of textual terms and conditions can be 
produced by a VDE user application which, in a 
preferred embodiment, provides phrases, sentences 
and/or paragraphs that have been stored and 
correspond to said methods and/or assemblies. This 
feature preferably employs artificial intelligence 
capabilities to analyze and automatically determine, 
and/or assist one or more users to determine, the 
proper order and relationship between the library 
elements corresponding to the chosen methods 
and/or assemblies so as to compose some or all 
portions of a legal or descriptive document. One or 
more users, and/or preferably an attorney (if the 
document a legal, binding agreement), would review 
the generated document material upon completion 
and employ such additional textual information 
and/or editing as necessary to describe non electronic 
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transaction elements of the agreement and make 
any other improvements that may be necessary. 
These features further support employing modern 
language tools that allow one or more users to make 
selections from choices and provide answers to 
questions and to produce a VDE electronic 
agreement from such a process. This process can be 
interactive and the VDE agreement formulation 
process may employ artificial intelligence expert 
system technology that learns from responses and, 
where appropriate and based at least in part on said 
responses, provides further choices and/or questions 
which "evolves" the desired VDE electronic 
agreement. 

support the use of multiple VDE secure subsystems 
in a single VDE installation. Various security and/or 
performance advantages may be realized by 
employing a distributed VDE design within a single 
VDE installation. For example, designing a 
hardware based VDE secure subsystem into an 
electronic appliance VDE display device, and 
designing said subsystem's integration with said 
display device so that it is as close as possible to the 
point of display, will increase the security for video 
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materials by making it materially more difficult to 
"steal" decrypted video information as it moves from 
outside to inside the video system. Ideally, for 
example, a VDE secure hardware module would be 
in the same physical package as the actual display 
monitor, such as within the packaging of a video 
monitor or other display device, and such device 
would be designed, to the extent commercially 
practical, to be as tamper resistant as reasonable. 
As another example, embedding a VDE hardware 
module into an I/O peripheral may have certain 
advantages from the standpoint of overall system 
throughput. If multiple VDE instances are employed 
within the same VDE installation, these instances 
will ideally share resources to the extent practical, 
such as VDE instances storing certain control 
information and content and/or appliance usage 
information on the same mass storage device and in 
the same VDE management database. 

requiring reporting and payment compliance by 
employing exhaustion of budgets and time ageing of 
keys. For example, a VDE commercial arrangement 
and associated content control information may 
involve a content provider's content and the use of 
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clearinghouse credit for payment for end-user usage 
of said content. Control information regarding said 
arrangement may be delivered to a user's (of said 
content) VDE installation and/or said financial 
clearinghouse's VDE installation. Said control 
information might require said clearinghouse to 
prepare and telecommunicate to said content 
provider both content usage based information in a 
certain form, and content usage payment in the form 
of electronic credit (such credit might be "owned" by 
the provider after receipt and used in lieu of the 
availability or adequacy of electronic currency) 
and/or electronic currency. This delivery of 
information and payment may employ trusted VDE 
installation secure subsystems to securely, and in 
some embodiments, automatically, provide in the 
manner specified by said control information, said 
usage information and payment content. Features of 
the present invention help ensure that a 
requirement that a clearinghouse report such usage 
information and payment content will be observed. 
For example, if one participant to a VDE electronic 
agreement fails to observe such information 
reporting and/or paying obligation, another 
participant can stop the delinquent party from 
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successfully participating in VDE activities related 
to such agreement. For example, if required usage 
information and payment was not reported as 
specified by content control information, the 
"injured" party can fail to provide, through failing to 
securely communicate from his VDE installation 
secure subsystem, one or more pieces of secure 
information necessary for the continuance of one or 
more critical processes. For example, failure to 
report information and/or payment from a 
clearinghouse to a content provider (as well as any 
security failures or other disturbing irregularities) 
can result in the content provider not providing key 
and/or budget refresh information to the 
clearinghouse, which information can be necessary 
to authorize use of the clearinghouse's credit for 
usage of the provider's content and which the 
clearinghouse would communicate to end-user's 
during a content usage reporting communication 
between the clearinghouse and end-user. As another 
example, a distributor that failed to make payments 
and/or report usage information to a content 
provider might find that their budget for creating 
permissions records to distribute the content 
provider's content to users, and/or a security budget 
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limi ting one or more other aspect of their use of the 
provider's content, are not being refreshed by the 
content provider, once exhausted or timed-out (for 
example, at a predetermined date). In these and 
other cases, the offended party might decide not to 
refresh time ageing keys that had "aged out." Such a 
use of time aged keys has a similar impact as failing 
to refresh budgets or time-aged authorizations. 

support smart card implementations of the present 
invention in the form of portable electronic 
appliances, including cards that can be employed as 
secure credit, banking, and/or money cards. A 
feature of the present invention is the use of portable 
VDEs as transaction cards at retail and other 
establishments, wherein such cards can "dock" with 
an establishment terminal that has a VDE secure 
sub-system and/or an online connection to a VDE 
secure and/or otherwise secure and compatible 
subsystem, such as a "trusted" financial 
clearinghouse (e.g., VISA, Mastercard). The VDE 
card and the terminal (and/or online connection) can 
securely exchange information related to a 
transaction, with credit and/or electronic currency 
being transferred to a merchant and/or 
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clearinghouse and transaction information flowing 
back to the card. Such a card can be used for 
transaction activities of all sorts. A docking station, 
such as a PCMCIA connector on an electronic 
appliance, such as a personal computer, can receive 
a consumer's VDE card at home. Such a station/card 
combination can be used for on-line transactions in 
the same manner as a VDE installation that is 
permanently installed in such an electronic 
appliance. The card can be used as an "electronic 
wallet" and contain electronic currency as well as 
credit provided by a clearinghouse. The card can act 
as a convergence point for financial activities of a 
consumer regarding many, if not all, merchant, 
banking, and on-line financial transactions, 
including supporting home banking activities. A 
consumer can receive his paycheck and/or 
investment earnings and/or "authentic" VDE content 
container secured detailed information on such 
receipts, through on-line connections. A user can 
send digital currency to another party with a VDE 
arrangement, including giving away such currency. 
A VDE card can retain details of transactions in a 
highly secure and database organized fashion so that 
financially related information is both consolidated 
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and very easily retrieved and/or analyzed. Because 
of the VDE security, including use of effective 
encryption, authentication, digital signaturing, and 
secure database structures, the records contained 
within a VDE card arrangement may be accepted as 
valid transaction records for government and/or 
coiporate recordkeeping requirements. In some 
embodiments of the present invention a VDE card 
may employ docking station and/or electronic 
appliance storage means and/or share other VDE 
arrangement means local to said appliance and/or 
available across a network, to augment the 
information storage capacity of the VDE card, by for 
example, storing dated, and/or archived, backup 
information. Taxes relating to some or all of an 
individual's financial activities may be automatically 
computed based on "authentic" information securely 
stored and available to said VDE card. Said 
information may be stored in said card, in said 
docking station, in an associated electronic 
appliance, and/or other device operatively attached 
thereto, and/or remotely, such as at a remote server 
site. A card's data, e.g. transaction history, can be 
backed up to an individual's personal computer or 
other electronic appliance and such an appliance 
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may have an integrated VDE installation of its own. 
A current transaction, recent transactions (for 
redundancy), or all or other selected card data may 
be backed up to a remote backup repository, such a 
VDE compatible repository at a financial 
clearinghouse, during each or periodic docking for a 
financial transaction and/or information 
communication such as a user/merchant transaction. 
Backing up at least the current transaction during a 
connection with another party's VDE installation 
(for example a VDE installation that is also on a 
financial or general purpose electronic network), by 
posting transaction information to a remote 
clearinghouse and/or bank, can ensure that 
sufficient backup is conducted to enable complete 
reconstruction of VDE card internal information in 
the event of a card failure or loss. 

support certification processes that ensure 
authorized interoperability between various VDE 
installations so as to prevent VDE arrangements 
and/or installations that unacceptably deviate in 
specification protocols from other VDE arrangements 
and/or installations from interoperating in a manner 
that may introduce security (integrity and/or 
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confidentiality of VDE secured information), process 
control, and/or software compatibility problems. 
Certification validates the identity of VDE 
installations and/or their components, as well as 
VDE users. Certification data can also serve as 
information that contributes to determining the 
decommissioning or other change related to VDE 
sites. 

support the separation of fundamental transaction 
control processes through the use of event (triggered) 
based method control mechanisms. These event 
methods trigger one or more other VDE methods 
(which are available to a secure VDE sub-system) 
and are used to carry out VDE managed transaction 
related processing. These triggered methods include 
independently (separably) and securely processable 
component billing management methods, budgeting 
management methods, metering management 
methods, and related auditing management 
processes. As a result of this feature of the present 
invention, independent triggering of metering, 
auditing, billing, and budgeting methods, the 
present invention is able to efficiently, concurrently 
support multiple financial currencies (e.g. dollars, 
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marks, yen) and content related budgets, and/or 
billing increments as well as very flexible content 
distribution models. 

support, complete, modular separation of the control 
structures related to (1) content event triggering, (2) 
auditing, (3) budgeting (including specifying no right 
of use or unlimited right of use), (4) billing, and (5) 
user identity (VDE installation, client name, 
department, network, and/or user, etc.). The 
independence of these VDE control structures 
provides a flexible system which allows plural 
relationships between two or more of these 
structures, for example, the ability to associate a 
financial budget with different event trigger 
structures (that are put in place to enable controlling 
content based on its logical portions). Without such 
separation between these basic VDE capabilities, it 
would be more difficult to efficiently maintain 
separate metering, budgeting, identification, and/or 
billing activities which involve the same, differing 
(including overlapping), or entirely different, 
portions of content for metering, billing, budgeting, 
and user identification, for example, paying fees 
associated with usage of content, perforating home 
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banking, managing advertising services, etc. VDE 
modular separation of these basic capabilities 
supports the programming of plural, "arbitrary" 
relationships between one or differing content 
portions (and/or portion units) and budgeting, 
auditing, and/or billing control information. For 
example, under VDE, a budget limit of $200 dollars 
or 300 German Marks a month may be enforced for 
decryption of a certain database and 2 U.S. Dollars 
or 3 German Marks may be charged for each record 
of said database decrypted (depending on user 
selected currency). Such usage can be metered while 
an additional audit for user profile purposes can be 
prepared recording the identity of each filed 
displayed. Additionally, farther metering can be 
conducted regarding the number of said database 
bytes that have been decrypted, and a related 
security budget may prevent the decrypting of more 
than 5% of the total bytes of said database per year. 
The user may also, under VDE (if allowed by senior 
control information), collect audit information 
reflecting usage of database fields by different 
individuals and client organization departments and 
ensure that differing rights of access and differing 
budgets limiting database usage can be applied to 
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these client individuals and groups. Enabling 
content providers and users to practically employ 
such diverse sets of user identification, metering, 
budgeting, and billing control information results, in 
5 part, from the use of such independent control 

capabilities. As a result, VDE can support great 
configurability in creation of plural control models 
applied to the same electronic property and the same 
and/or plural control models applied to differing or 
10 entirely different content models (for example, home 

banking versus electronic shopping). 

Methods, Other Control Information, and VDE Objects 

VDE control information (e.g., methods) that collectively 
15 control use of VDE managed properties (database, document, 

individual commercial product), are either shipped with the 
content itself (for example, in a content container) and/or one or 
more portions of such control information is shipped to 
distributors and/or other users in separably deliverable 
20 "administrative objects." A subset of the methods for a property 

may in part be delivered with each property while one or more 
other subsets of methods can be delivered separately to a user or 
otherwise made available for use (such as being available 
remotely by telecommunication means). Required methods 
25 (methods listed as required for property and/or appliance use) 
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must be available as specified if VDE controlled content (such as 
intellectual property distributed within a VDE content container) 
is to be used. Methods that control content may apply to a 
plurality of VDE container objects, such as a class or other 
grouping of such objects. Methods may also be required by 
certain users or classes of users and/or VDE installations and/or 
classes of installations for such parties to use one or more 
specific, or classes of, objects. 

A feature of VDE provided by the present invention is that 
certain one or more methods can be specified as required in order 
for a VDE installation and/or user to be able to use certain and/or 
all content. For example, a distributor of a certain type of 
content might be allowed by "senior" participants (by content 
creators, for example) to require a method which prohibits 
end-users from electronically saving decrypted content, a 
provider of credit for VDE transactions might require an audit 
method that records the time of an electronic purchase, and/or a 
user might require a method that summarizes usage information 
for reporting to a clearinghouse (e.g. billing information) in a way 
that does not convey confidential, personal information regarding 
detailed usage behavior. 

A further feature of VDE provided by the present invention 
is that creators, distributors, and users of content can select from 
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among a set of predefined methods (if available) to control 
container content usage and distribution functions and/or they 
may have the right to provide new customized methods to control 
at least certain usage functions (such "new" methods may be 
5 required to be certified for trustedness and interoperability to the 

VDE installation and/or for of a group of VDE applications). As a 
result, VDE provides a very high degree of configurability with 
respect to how the distribution and other usage of each property 
or object (or one or more portions of objects or properties as 
10 desired and/or applicable) will be controlled. Each VDE 

participant in a VDE pathway of content control information may 
set methods for some or all of the content in a VDE container, so 
long as such control information does not conflict with senior 
control information already in place with respect to: 



15 



20 



(1) certain or all VDE managed content, 

(2) certain one or more VDE users and/or groupings of 
users, 

(3) certain one or more VDE nodes and/or groupings of 
nodes, and/or 



(4) certain one or more VDE applications and/or 
25 arrangements. 
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For example, a content creator's VDE control information 
for certain content can take precedence over other submitted 
VDE participant control information and, for example, if allowed 
by senior control information, a content distributor's control 
information may itself take precedence over a client 
administrator's control information, which may take precedence 
over an end-user's control information. A path of distribution 
participant's ability to set such electronic content control 
information can be limited to certain control information (for 
example, method mediating data such as pricing and/or sales 
dates) or it may be limited only to the extent that one or more of 
the participant's proposed control information conflicts with 
control information set by senior control information submitted 
previously by participants in a chain of handling of the property, 
or managed in said participant's VDE secure subsystem. 

VDE control information may, in part or in full, (a) . 
represent control information directly put in place by VDE 
content control information pathway participants, and/or (b) 
comprise control information put in place by such a participant 
on behalf of a party who does not directly handle electronic 
content (or electronic appliance) permissions records information 
(for example control information inserted by a participant on 
behalf of a financial clearinghouse or government agency). Such 
control information methods (and/or load modules and/or 
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mediating data and/or component assemblies) may also be put in 
place by either an electronic automated, or a semi-automated and 
human assisted, control information (control set) negotiating 
process that assesses whether the use of one or more pieces of 
submitted control information will be integrated into and/or 
replace existing control information (and/or chooses between 
alternative control information based upon interaction with 
in-place control information) and how such control information 
may be used. 

Control information may be provided by a party who does 
not directly participate in the handling of electronic content 
(and/or appliance) and/or control information for such content 
(and/or appliance). Such control information may be provided in 
secure form using VDE installation secure sub-system managed 
communications (including, for example, authenticating the 
deliverer of at least in part encrypted control information) 
between such not directly participating one or more parties* VDE 
installation secure subsystems, and a pathway of VDE content 
control information participant's VDE installation secure 
subsystem. This control information may relate to, for example, 
the right to access credit supplied by a financial services 
provider, the enforcement of regulations or laws enacted by a 
government agency, or the requirements of a customer of VDE 
managed content usage information (reflecting usage of content 
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by one or more parties other than such customer) relating to the 
creation, handling and/or manner of reporting of usage 
information received by such customer. Such control information 
may, for example, enforce societal requirements such as laws 
related to electronic commerce. 

VDE content control information may apply differently to 
different pathway of content and/or control information handling 
participants. Furthermore, permissions records rights may be 
added, altered, and/or removed by a VDE participant if they are 
allowed to take such action. Rights of VDE participants may be 
defined in relation to specific parties and/or categories of parties 
and/or other groups of parties in a chain of handling of content 
and/or content control information (e.g., permissions records). 
Modifications to control information that may be made by a 
given, eligible party or parties, may be limited in the number of 
modifications, and/or degree of modification, they may make. 

At least one secure subsystem in electronic appliances of 
creators, distributors, auditors, clearinghouses, client 
administrators, and end-users (understanding that two or more 
of the above classifications may describe a single user) provides a 
"sufficiently" secure (for the intended applications) environment 
for: 
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1. 



Decrypting properties and control information; 



2. 



Storing control and metering related information; 



3. 



Managing communications; 



4. Processing core control programs, along with 

associated data, that constitute control information 
for electronic content and/or appliance rights 
protection, including the enforcing of preferences 
and requirements of VDE participants. 

Normally, most usage, audit, reporting, payment, and 
distribution control methods are themselves at least in part 
encrypted and are executed by the secure subsystem of a VDE 
installation. Thus, for example, billing and metering records can 
be securely generated and updated, and encryption and 
decryption keys are securely utilized, within a secure subsystem. 
Since VDE also employs secure (e.g. encrypted and 
authenticated) communications when passing information 
between the participant location (nodes) secure subsystems of a 
VDE arrangement, important components of a VDE electronic 
agreement can be reliably enforced with sufficient security 
(sufficiently trusted) for the intended commercial purposes. A 
VDE electronic agreement for a value chain can be composed, at 
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least in part, of one or more subagreements between one or more 
subsets of the value chain participants. These subagreements 
are comprised of one or more electronic contract "compliance" 
elements (methods including associated parameter data) that 
ensure the protection of the rights of VDE participants. 

The degree of trustedness of a VDE arrangement will be 
primarily based on whether hardware SPUs are employed at 
participant location secure subsystems and the effectiveness of 
the SPU hardware security architecture, software security 
techniques when an SPU is emulated in software, and the 
encryption algorithm(s) and keys that are employed for securing 
content, control information, communications, and access to VDE 
node (VDE installation) secure subsystems. Physical facility and 
user identity authentication security procedures may be used 
instead of hardware SPUs at certain nodes, such as at an 
established financial clearinghouse, where such procedures may 
provide sufficient security for trusted interoperability with a 
VDE arrangement employing hardware SPUs at user nodes. 

The updating of property management files at each 
location of a VDE arrangement, to accommodate new or modified 
control information, is performed in the VDE secure subsystem 
and under the control of secure management file updating 
programs executed by the protected subsystem. Since all secure 
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communications are at least in part encrypted and the processing 
inside the secure subsystem is concealed from outside 
observation and interference, the present invention ensures that 
content control information can be enforced. As a result, the 
creator and/or distributor and/or client administrator and/or 
other contributor of secure control information for each property 
(for example, an end-user restricting the kind of audit 
information he or she will allow to be reported and/or a financial 
clearinghouse establishing certain criteria for use of its credit for 
payment for use of distributed content) can be confident that 
their contributed and accepted control information will be 
enforced (within the security limitations of a given VDE security 
implementation design). This control information can determine, 
for example: 

(1) How and/or to whom electronic content can be 
provided, for example, how an electronic property 
can be distributed; 

(2) How one or more objects and/or properties, or 
portions of an object or property, can be directly 
used, such as decrypted, displayed, printed, etc; 

(3) How payment for usage of such content and/or 
content portions may or must be handled; and 
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(4) How audit information about usage information 

related to at least a portion of a property should be 
collected, reported, and/or used. 

Seniority of contributed control information, including 
resolution of conflicts between content control information 
submitted by multiple parties, is normally established by: 



( 1) the sequence in which control information is put in 
place by various parties (in place control information 
normally takes precedence over subsequently 
submitted control information), 

(2) the specifics of VDE content and/or appliance control 
information. For example, in-place control 
information can stipulate which subsequent one or 
more piece of control from one or more parties or 
class of parties will take precedence over control 
information submitted by one or more yet different 
parties and/or classes of parties, and/or 

(3) negotiation between control information sets from 
plural parties, which negotiation establishes what 
control information shall constitute the resulting 
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control information set for a given piece of VDE 
managed content and/or VDE installation. 

Electronic Agreements and Rights Protection 

An important feature of VDE is that it can be used to 
assure the administration of, and adequacy of security and rights 
protection for, electronic agreements implemented through the 
use of the present invention. Such agreements may involve one 
or more of: 

(1) creators, publishers, and other distributors, of 
electronic information, 

(2) financial service (e.g. credit) providers, 

(3) users of (other than financial service providers) 
information arising from content usage such as 
content specific demographic information and user 
specific descriptive information. Such users may 
include market analysts, marketing list compilers for 
direct and directed marketing, and government 
agencies, 

(4) end users of content, 
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(5) infrastructure service and device providers such as 
telecommunication companies and hardware 
manufacturers (semiconductor and electronic 
appliance and/or other computer system 
manufacturers) who receive compensation based 
upon the use of their services and/or devices, and 

(6) certain parties described by electronic information. 

VDE supports commercially secure "extended" value chain 
electronic agreements. VDE can be configured to support the 
various underlying agreements between parties that comprise 
this extended agreement. These agreements can define 
important electronic commerce considerations including: 

(1) security, 

(2) content use control, including electronic distribution, 

(3) privacy (regarding, for example, information 
concerning parties described by medical, credit, tax, 
personal, and/or of other forms of confidential 
information), 

(4) management of financial processes, and 
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(5) pathways of handling for electronic content, content 
and/or appliance control information, electronic 
content and/or appliance usage information and 
payment and/or credit. 

VDE agreements may define the electronic commerce 
relationship of two or more parties of a value chain, but such 
agreements may, at times, not directly obligate or otherwise 
directly involve other VDE value chain participants. For 
example, an electronic agreement between a content creator and 
a distributor may establish both the price to the distributor for a 
creator's content (such as for a property distributed in a VDE 
container object) and the number of copies of this object that this 
distributor may distribute to end-users over a given period of 
time. In a second agreement, a value chain end-user may be 
involved in a three party agreement in which the end-user agrees 
to certain requirements for using the distributed product such as 
accepting distributor charges for content use and agreeing to 
observe the copyright rights of the creator. A third agreement 
might exist between the distributor and a financial clearinghouse 
that allows the distributor to employ the clearinghouse's credit 
for payment for the product if the end-user has a separate 
(fourth) agreement directly with the clearinghouse extending 
credit to the end-user. A fifth, evolving agreement may develop 
between all value chain participants as content control 
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information passes along its chain of handling. This evolving 
agreement can establish the rights of all parties to content usage 
information, including, for example, the nature of information to 
be received by each party and the pathway of handling of content 
usage information and related procedures. A sixth agreement in 
this example, may involve all parties to the agreement and 
establishes certain general assumptions, such as security 
techniques and degree of trustedness (for example, commercial 
integrity of the system may require each VDE installation secure 
subsystem to electronically warrant that their VDE node meets 
certain interoperability requirements). In the above example, 
these six agreements could comprise agreements of an extended 
agreement for this commercial value chain instance. 

VDE agreements support evolving (living 7 ') electronic 
agreement arrangements that can be modified by current and/or 
new participants through very simple to sophisticated 
"negotiations" between newly proposed content control 
information interacting with control information already in place 
and/or by negotiation between concurrently proposed content 
control information submitted by a plurality of parties. A given 
model may be asynchronously and progressively modified over 
time in accordance with existing senior rules and such 
modification may be applied to all, to classes of, and/or to specific 
content, and/or to classes and/or specific users and/or user nodes. 
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A given piece of content may be subject to different control 
information at different times or places of handling, depending on 
the evolution of its content control information (and/or on 
differing, applicable VDE installation content control 
information). The evolution of control information can occur 
during the passing along of one or more VDE control information 
containing objects, that is control information may be modified at 
one or more points along a chain of control information handling, 
so long as such modification is allowed. As a result, VDE 
managed content may have different control information applied 
at both different "locations" in a chain of content handling and at 
similar locations in differing chains of the handling of such 
content. Such different application of control information may 
also result from content control information specifying that a 
certain party or group of parties shall be subject to content 
control information that differs from another party or group of 
parties. For example, content control information for a given 
piece of content may be stipulated as senior information and 
therefore not changeable, might be put in place by a content 
creator and might stipulate that national distributors of a given 
piece of their content may be permitted to make 100,000 copies 
per calendar quarter, so long as such copies are provided to boni 
fide end-users, but may pass only a single copy of such content to 
a local retailers and the control information limits such a retailer 
to making no more than 1,000 copies per month for retail sales to 



-137- 



WO 96/27155 



PCT/US96/02303 



end-users. In addition, for example, an end-user of such content 
might be limited by the same content control information to 
making three copies of such content, one for each of three 
different computers he or she uses (one desktop computer at 
work, one for a desktop computer at home, and one for a portable 
computer). 

Electronic agreements supported by the preferred 
embodiment of the present invention can vary from very simple 
to very elaborate. They can support widely diverse information 
management models that provide for electronic information 
security, usage administration, and communication and may 
support: 

(a) secure electronic distribution of information, for 
example commercial literary properties, 

(b) secure electronic information usage monitoring and 
reporting, 

(c) secure financial transaction capabilities related to 
both electronic information and/or appliance usage 
and other electronic credit and/or currency usage 
and administration capabilities, 
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privacy protection for usage information a user does 
not wish to release, and 

"living* electronic information content dissemination 
models that flexibly accommodate: 

(1) a breadth of participants, 

(2) one or more pathways (chains) for: the 
handling of content, content and/or appliance 
control information, reporting of content 
and/or appliance usage related information, 
and/or payment, 

(3) supporting an evolution of terms and 
conditions incorporated into content control 
information, including use of electronic 
negotiation capabilities, 

(4) support the combination of multiple pieces of 
content to form new content aggregations, and 

(5) multiple concurrent models. 
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Secure Processing Units 

An important part of VDE provided by the present 
invention is the core secure transaction control arrangement, 
herein called an SPU (or SPUs), that typically must be present in 
each user's computer, other electronic appliance, or network. 
SPUs provide a trusted environment for generating decryption 
keys, encrypting and decrypting information, managing the 
secure communication of keys and other information between 
electronic appliances (ie. between VDE installations and/or 
between plural VDE instances within a single VDE installation), 
securely accumulating and managing audit trail, reporting, and 
budget information in secure and/or non-secure non-volatile 
memory, maintaining a secure database of control information 
management instructions, and providing a secure environment 
for performing certain other control and administrative functions. 

A hardware SPU (rather than a software emulation) within 
a VDE node is necessary if a highly trusted environment for 
performing certain VDE activities is required. Such a trusted 
environment may be created through the use of certain control 
software, one or more tamper resistant hardware modules such 
as a semiconductor or semiconductor chipset (including, for 
example, a tamper resistant hardware electronic appliance 
peripheral device), for use within, and/or operatively connected 
to, an electronic appliance. With the present invention, the 
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trustedness of a hardware SPU can be enhanced by enclosing 
some or all of its hardware elements within tamper resistant 
packaging and/or by employing other tamper resisting techniques 
(e.g. microfusing and/or thin wire detection techniques). A 
trusted environment of the present invention implemented, in 
part, through the use of tamper resistant semiconductor design, 
contains control logic, such as a microprocessor, that securely 
executes VDE processes. 

A VDE node's hardware SPU is a core component of a VDE 
secure subsystem and may employ some or all of an electronic 
appliance's primary control logic, such as a microcontroller, 
microcomputer or other CPU arrangement. This primary control 
logic may be otherwise employed for non VDE purposes such as 
the control of some or all of an electronic appliance's non-VDE 
functions. When operating in a hardware SPU mode, said 
primary control logic must be sufficiently secure so as to protect 
and conceal important VDE processes. For example, a hardware 
SPU may employ a host electronic appliance microcomputer 
operating in protected mode while performing VDE related 
activities, thus allowing portions of VDE processes to execute 
with a certain degree of security. This alternate embodiment is 
in contrast to the preferred embodiment wherein a trusted 
environment is created using a combination of one or more 
tamper resistant semiconductors that are not part of said 
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primary control logic. In either embodiment, certain control 
information (software and parameter data) must be securely 
maintained within the SPU, and further control information can 
be stored externally and securely (e.g. in encrypted and tagged 
5 form) and loaded into said hardware SPU when needed. In many 

cases, and in particular with microcomputers, the preferred 
embodiment approach of employing special purpose secure 
hardware for executing said VDE processes, rather than using 
said primary control logic, may be more secure and efficient. The 
10 level of security and tamper resistance required for trusted SPU 

hardware processes depends on the commercial requirements of 
particular markets or market niches, and may vary widely. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features and advantages provided by the 
present inventions) may be better and more completely 
understood by referring to the following detailed description of 
presently preferred example embodiments in connection with the 
drawings, of which: 

FIGURE 1 illustrates an example of a 'Virtual Distribution 
Environment" provided in accordance with a preferred 
example/embodiment of this invention; 

FIGURE 1 A is a more detailed illustration of an example of 
the "Information Utility" shown in FIGURE 1; 

FIGURE 2 illustrates an example of a chain of handling 
and control; 

FIGURE 2 A illustrates one example of how rules and 
control information may persist from one participant to another 
in the Figure 2 chain of handling and control; 
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FIGURE 3 shows one example of different control 
information that may be provided; 

FIGURE 4 illustrates examples of some different types of 
5 rules and/or control information; 

FIGURES 5A and 5B show an example of an "object"; 

FIGURE 6 shows an example of a Secure Processing Unit 
10 ("SPIT); 

FIGURE 7 shows an example of an electronic appliance; 

FIGURE 8 is a more detailed block diagram of an example 
15 of the electronic appliance shown in FIGURE 7; 

FIGURE 9 is a detailed view of an example of the Secure 
Processing Unit (SPU) shown in FIGURES 6 and 8; 

20 FIGURE 10 shows an example of a "Rights Operating 

System" ("ROS") architecture provided by the Virtual 
Distribution Environment; 
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FIGURES 11A-11C show examples of functional 
relationship(s) between applications and the Rights Operating 
System; 

FIGURES 11D-11J show examples of "components" and 
"component assemblies"; 

FIGURE 12 is a more detailed diagram of an example of 
the Rights Operating System shown in FIGURE 10; 

FIGURE 12A shows an example of how "objects" can be 
created; 

FIGURE 13 is a detailed block diagram of an example the 
software architecture for a "protected processing environment" 
shown in FIGURE 12; 

FIGURES 14A-14C are examples of SPU memory maps 
provided by the protected processing environment shown in 
FIGURE 13; 
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FIGURE 15 illustrates an example of how the channel 
services manager and load module execution manager of 
FIGURE 13 can support a channel; 

5 FIGURE 15A is an example of a channel header and 

channel detail records shown in FIGURE 15; 

FIGURE 15B is a flowchart of an example of program 
control steps that may be performed by the FIGURE 13 protected 
10 processing environment to create a channel; 

FIGURE 16 is a block diagram of an example of a secure 
data base structure; 

15 FIGURE 17 is an illustration of an example of a logical 

object structure; 

FIGURE 18 shows an example of a stationary object 
structure; 



20 



FIGURE 19 shows an example of a traveling object 
structure; 
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FIGURE 20 shows an example of a content object 
structure; 

FIGURE 21 shows an example of an administrative object 
structure; 

FIGURE 22 shows an example of a method core structure; 
FIGURE 23 shows an example of a load module structure; 

FIGURE 24 shows an example of a User Data Element 
(UDE) and/or Method Data Element (MDE) structure; 

FIGURES 25A-25C show examples of "map meters"; 

FIGURE 26 shows an example of a permissions record 
(PERC) structure; 

FIGURES 26A and 26B together show a more detailed 
example of a permissions record structure; 
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FIGURE 27 shows an example of a shipping table 
structure; 

FIGURE 28 shows an example of a receiving table 
5 structure; 

FIGURE 29 shows an example of an administrative event 
log structure; 

10 FIGURE 30 shows an example inter-relationship between 

and use of the object registration table, subject table and user 
rights table shown in the FIGURE 16 secure database; 

FIGURE 31 is a more detailed example of an object 
15 registration table shown in FIGURE 16; 

FIGURE 32 is a more detailed example of subject table 
shown in FIGURE 16; 

20 FIGURE 33 is a more detailed example of a user rights 

table shown in FIGURE 16; 
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FIGURE 34 shows a specific example of how a site record 
table and group record table may track portions of the secure 
database shown in FIGURE 16; 

FIGURE 34A is an example of a FIGURE 34 site record 
table structure; 

FIGURE 34B is an example of a FIGURE 34 group record 
table structure; 

FIGURE 35 shows an example of a process for updating 
the secure database; 

FIGURE 36 shows an example of how new elements may 
be inserted into the FIGURE 16 secure data base; 

FIGURE 37 shows an example of how an element of the 
secure database may be accessed; 

FIGURE 38 is a flowchart example of how to protect a 
secure database element; 
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FIGUKE 39 is a flowchart example of how to back up a 
secure database; 

FIGURE 40 is a flowchart example of how to recover a 
5 secure database from a backup; 

FIGURES 41A-41D are a set of examples showing how a 
"chain of handling and control" may be enabled using "reciprocal 
methods"; 

10 

FIGURES 42A-42D show an example of a "reciprocal" 
BUDGET method; 

FIGURES 43A-43D show an example of a "reciprocal" 
15 REGISTER method; 

FIGURES 44A-44C show an example of a "reciprocal" 
AUDIT method; 

20 FIGURES 45-48 show examples of several methods being 

used together to control release of content or other information; 
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FIGURES 49, 49A-49F show an example OPEN method; 

FIGURES 50, 50A-50F show an example of a READ 
method; 

5 

FIGURES 51, 51A-51F show an example of a WRITE 
method; 

FIGURE 52 shows an example of a CLOSE method; 

10 

FIGURES 53A-53B show an example of an EVENT 
method; 

FIGURE 53C shows an example of a BILLING method; 

15 

FIGURE 54 shows an example of an ACCESS method; 

FIGURES 55A-55B show examples of DECRYPT and 
ENCRYPT methods; 

20 

FIGURE 56 shows an example of a CONTENT method; 
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FIGURES 57A and 57B show examples of EXTRACT and 
EMBED methods; 

FIGURE 58A shows an example of an OBSCURE method; 

FIGURES 58B, 58C show examples of a FINGERPRINT 
method; 

FIGURE 59 shows an example of a DESTROY method; 

FIGURE 60 shows an example of a PANIC method; 

FIGURE 61 shows an example of a METER method; 

FIGURE 62 shows an example of a key "convolution" 
process; 

FIGURE 63 shows an example of how different keys may 
be generated using a key convolution process to determine a 
"true" key; 
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FIGURES 64 and 65 show an example of how protected 
processing environment keys may be initialized; 

FIGURES 66 and 67 show example processes for 
decrypting information contained within stationary and traveling 
objects, respectively; 

FIGURE 68 shows an example of how a protected 
processing environment may be initialized; 

FIGURE 69 shows an example of how firmware may be 
downloaded into a protected processing environment; 

FIGURE 70 shows an example of multiple VDE electronic 
appliances connected together with a network or other 
communications means; 

FIGURE 71 shows an example of a portable VDE electronic 
appliance; 
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FIGURES 72A-72D show examples of "pop-up* displays 
that may be generated by the user notification and exception 
interface; 

5 FIGURE 73 shows an example of a "smart object"; 

FIGURE 74 shows an example of a process using "smart 
objects"; 

10 FIGURES 75A-75D show examples of data structures used 

for electronic negotiation; 

FIGURES 75E-75F show example structures relating to an 
electronic agreement; 

15 

FIGURES 76A-76B show examples of electronic 
negotiation processes; 

FIGURE 77 shows a further example of a chain of handling 
20 and control; 

FIGURE 78 shows an example of a VDE "repository"; 
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FIGURES 79-83 show an example illustrating a chain of 
handling and control to evolve and transform VDE managed 
content and control information; 

FIGURE 84 shows a further example of a chain of handling 
and control involving several categories of VDE participants; 

FIGURE 85 shows a further example of a chain of 
distribution and handling within an organization; 

Figures 86 and 86A show a further example of a chain of 
handling and control; and 

Figure 87 shows an example of a virtual silicon container 
model. 
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MORE DETA ILED DESCRIPTION 

Figures 1-7 and the discussion below provides an overview 
of some aspects of features provided by this invention. Following 
this overview is a more technical "detail description" of example 
embodiments in accordance with the invention. 

Overview 

Figure 1 shows a 'Virtual Distribution Environment" 
("VDE") 100 that may be provided in accordance with this 
invention. In Figure 1, an information utility 200 connects to 
communications means 202 such as telephone or cable TV lines 
for example. Telephone or cable TV lines 202 may be part of an 
"electronic highway * that carries electronic information from 
place to place. Lines 202 connect information utility 200 to other 
people 
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such as for example a consumer 208, an office 210, a video 
production studio 204, and a publishing house 214. Each of the 
people connected to information utility 200 may be called a "VDE 
participant" because they can participate in transactions 
occurring within the virtual distribution environment 100. 

Almost any sort of transaction you can think of can be 
supported by virtual distribution environment 100. A few of 
many examples of transactions that can be supported by virtual 
distribution environment 100 include: 
C home banking and electronic payments; 
C electronic legal contracts; 

C distribution of "content" such as electronic printed matter, 
video, audio, images and computer programs; and 

C secure communication of private information such as 
medical records and financial information. 

Virtual distribution environment 100 is "virtual" because it 
does not require many of the physical "things" that used to be 
necessary to protect rights, ensure reliable and predictable 
distribution, and ensure proper compensation to content creators 
and distributors. For example, in the past, information was 
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distributed on records or disks that were difficult to copy. In the 
past, private or secret content was distributed in sealed 
envelopes or locked briefcases delivered by courier. To ensure 
appropriate compensation, consumers received goods and 
services only after they handed cash over to a seller. Although 
information utility 200 may deliver information by transferring 
physical "things" such as electronic storage media, the virtual 
distribution environment 100 facilitates a completely electronic 
"chain of handling and control. ,, 

VDE Flexibility Supports Transactions 

Information utility 200 flexibly supports many different 
kinds of information transactions. Different VDE participants 
may define and/or participate in different parts of a transaction. 
Information utility 200 may assist with delivering information 
about a transaction, or it may be one of the transaction 
participants. 

For example, the video production studio 204 in the upper 
right-hand corner of Figure 1 may create video/television 
programs. Video production studio 204 may send these 
programs over lines 202, or may use other paths such as satellite 
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linlc 205 and CD ROM delivery service 216. Video production 
studio 204 can send the programs directly to consumers 206, 208* 
210, or it can send the programs to information utility 200 which 
may store and later send them to the consumers, for example. 
Consumers 206, 208, 210 are each capable of receiving and using 
the programs created by video production studio 204 — assuming, 
that is, that the video production studio or information utility 200 
has arranged for these consumers to have appropriate " rules and 
controls " (control information) that give the consumers rights to 
use the programs. 

Even if a consumer has a copy of a video program, she 
cannot watch or copy the program unless she has "rules and 
controls" that authorize use of the program. She can use the 
program only as permitted by the "rules and controls." 

For example, video production studio 204 might release a 
half-hour exercise video in the hope that as many viewers as 
possible will view it. The video production studio 204 wishes to 
receive $2.00 per viewing. Video production studio 204 may, 
through information utility 200, make the exercise video 
available in "protected" form to all consumers 206, 208, 210. 
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Video production studio 204 may also provide "rules and controls" 
for the video. These "rules and controls" may specify for example: 

(1) any consumer who has good credit of at least $2.00 
5 based on a credit account with independent financial 

provider 212 (such as Mastercard or VISA) may watch the 
video, 

(2) virtual distribution environment 100 will "meter 7 ' each 
10 time a consumer watches the video, and report usage to 

video production studio 204 from time to time, and 

(3) financial provider 212 may electronically collect 
payment ($2.00) from the credit account of each consumer 

15 who watches the video, and transfer these payments to the 

video production studio 204. 

Information utility 200 allows even a small video 
production studio to market videos to consumers and receive 
20 compensation for its efforts. Moreover, the videos can, with 

appropriate payment to the video production studio, be made 
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available to other video publishers who may add value and/or act 
as repackagers or redistributors. 

Figure 1 also shows a publishing house 214. Publishing 
house 214 may act as a distributor for an author 206. The 
publishing house 214 may distrihute rig hts to use "content" (such 
as computer software, electronic newspapers, the video produced 
by publishing house 214, audio, or any other data) to consumers 
such as office 210. The use rights may be defined by "rules and 
controls" distributed by publishing house 216. Publishing house 
216 may distribute these "rules and controls" with the content, 
but this is not necessary. Because the content can be used only 
by consumers that have the appropriate "rules and controls," 
content and its associated "rules and controls" may be distributed 
at different times, in different ways, by different VDE 
participants. The ability of VDE to securely distribute and 
enforce "rules and controls" separately from the content they 
apply to provides great advantages. 

Use rights distributed by publishing house 214 may, for 
example, permit office 210 to make and distribute copies of the 
content to its employees. Office 210 may act as a redistributor by 
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extending a "chain of handling and control* to its employees. The 
office 210 may add or modify "rules and controls" (consistent with 
the "rules and controls" it receives from publishing house 214) to 
provide office-internal control information and mechanisms. For 
example, office 210 may set a maximum usage budget for each 
individual user and/or group within the office, or it may permit 
only specified employees and/or groups to access certain 
information. 

Figure 1 also shows an information delivery service 216 
delivering electronic storage media such as "CD ROM" disks to 
consumers 206. Even though the electronic storage media 
themselves are not delivered electronically by information utility 
200 over lines 202, they are still part of the virtual distribution 
environment 100. The electronic storage media may be used to 
distribute content, "rules and controls," or other information. 

Example of What's Inside Information Utility 200 

"Information utility" 200 in Figure 1 can be a collection of 
participants that may act as distributors, financial 
clearinghouses, and administrators. Figure 1A shows an 
example of what may be inside one example of information utility 
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200. Information utility participants 200a-200g could each be an 
independent organization/business. There can be any number of 
each of participants 200a-200g. In this example, electronic 
"switch" 200a connects internal parts of information utility 200 to 
each other and to outside participants, and may also connect 
outside participants to one another. 

Information utility 200 may include a 'transaction 
processor" 200b that processes transactions (to transfer 
electronic funds, for example) based on requests from 
participants and/or report receiver 200e. It may also include a 
"usage analyst" 200c that analyzes reported usage information. 
A "report creator" 200d may create reports based on usage for 
example, and may provide these reports to outside participants 
and/or to participants within information utility 200. A "report 
receiver" 200e may receive reports such as usage reports from 
content users. A "pennissioning agent" 200f may distribute 
"rules and controls" granting usage or distribution permissions 
based on a profile of a consumer's credit worthiness, for example. 
An administrator 200h may provide information that keeps the 
virtual distribution environment 100 operating properly. A 
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content and message storage 200g may store information for use 
by participants within or outside of information utility 200. 

Example of Distributing Content* Using A Chain of Handling 
and Control" 

As explained above, virtual distribution environment 100 
can be used to manage almost any sort of transaction. One type 
of important transaction that virtual distribution environment 
100 may be used to manage is the distribution or communication 
of "content" or other important information. Figure 2 more 
abstractly shows a "model" of how the Figure 1 virtual 
distribution environment 100 may be used to provide a "chain of 
handling and control" for distributing content. Each of the blocks 
in Figure 2 may correspond to one or more of the VDE 
participants shown in Figure 1. 

In the Figure 2 example, a VDE content creator 102 
creates " content ." The content creator 102 may also specify 
"ralftfl fm d controls " for distributing the content. These 
distribution-related "rules and controls" can specify who has 
permission to distribute the rights to use content, and how many 
users are allowed to use the content. 
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Arrow 104 shows the content creator 102 sending the 
"rules and controls" associated with the content to a VDE rights 
distributor 106 ("distributor") over an electronic highway 108 (or 
by some other path such as an optical disk sent by a delivery 
service such as U. S. mail). The content can be distributed over 
the same or different path used to send the "rules and controls." 
The distributor 106 generates her own "rules and controls" that 
relate to usage of the content. The usage-related "rules and 
controls" may, for example, specify what a user can and can't do 
with the content and how much it costs to use the content. These 
usage-related "rules and controls" must be consistent with the 
"rules and controls" specified by content creator 102. 

Arrow 110 shows the distributor 106 distributing rights to 
15 use the content by sending the content's "rules and controls" to a 

content user 112 such as a consumer. The content user 112 uses 
the content in accordance with the usage-related "rules and 
controls." 

20 In this Figure 2 example, information relating to content 

use is, as shown by arrow 114, reported to a financial 
clearinghouse 116. Based on this "reporting," the financial 
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clearinghouse 116 may generate a bill and send it to the content 
user 112 over a "reports and payments* network 118. Arrow 120 
shows the content user 112 providing payments for content usage 
to the financial clearinghouse 116. Based on the reports and 
payments it receives, the financial clearinghouse 116 may 
provide reports and/or payments to the distributor 106. The 
distributor 106 may, as shown by arrow 122, provide reports 
and/or payments to the content creator 102. The clearinghouse 
116 may provide reports and payments directly to the creator 
102. Reporting and/or payments may be done differently . For 
example, clearinghouse 116 may directly or through an agent, 
provide reports and/or payments to each of VDE content creators 
102, and rights distributor 106, as well as reports to content user 
112. 



The distributor 106 and the content creator 102 may be the 
same person, or they may be different people. For example, a 
musical performing group may act as both content creator 102 
and distributor 106 by creating and distributing its own musical 
recordings. As another example, a publishing house may act as a 
distributor 106 to distribute rights to use works created by an 
author content creator 102. Content creators 102 may use a 
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distributor 106 to efficiently manage the financial end of content 
distribution. 

The "financial clearinghouse" 116 shown in Figure 2 may 
also be a "YTVR flriTrnn^ gtrator ." Financial clearinghouse 116 in its 
VDE administrator role sends "administrative" information to 
the VDE participants. This administrative information helps to 
keep the virtual distribution environment 100 operating 
properly. The "VDE administrator" and financial clearinghouse 
roles may be performed by different people or companies, and 
there can be more than one of each. 

More about Rules and Controls* 

The virtual distribution environment 100 prevents use of 
protected information except as permitted by the "rules and 
controls" (control information). For example, the "rules and 
controls" shown in Figure 2 may grant specific individuals or 
classes of content users 112 "permission" to use certain content. 
They may specify what kinds of content usage are permitted, and 
what kinds are not. They may specify how content usage is to be 
paid for and how much it costs. As another example, "rules and 
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controls" may require content usage information to be reported 
back to the distributor 106 and/or content creator 102. 

Every VDE participant in "chain of handling and control" 
5 is normally subject to "rules and controls." "Rules and controls" 

define the respective rights and obligations of each of the various 
VDE participants. "Rides and controls" provide information and 
mechanisms that may establish interdependences and 
relationships between the participants. "Rules and controls" are 
10 flexible, and permit "virtual distribution environment" 100 to 

support most "traditional" business transactions. For example: 
C "Rides and controls" may specify which financial 

clearinghouse(s) 116 may process payments, 
C "Rules and controls" may specify which participant(s) 
15 receive what kind of usage report, and 

C "Rules and controls" may specify that certain information 

is revealed to certain participants, and that other 

information is kept secret from them. 

20 "Rules and controls" may self limit if and how they may be 

changed. Often, "rules and controls" specified by one VDE 
participant cannot be changed by another VDE participant. For 



-168- 



WO 96/27155 



PCT/US96/02303 



example, a content user 112 generally can't change "rules and 
controls" specified by a distributor 106 that require the user to 
pay for content usage at a certain rate. "Rules and controls* may 
"persist" as they pass through a "chain of handling and control," 
and may be "inherited" as they are passed down from one VDE 
participant to the next. 

Depending upon their needs, VDE participants can specify 
that their "rules and controls" can be changed under conditions 
specified by the same or other "rules and controls." For example, 
"rules and controls" specified by the content creator 102 may 
permit the distributor 106 to "mark up" the usage price just as 
retail stores "mark up" the wholesale price of goods. Figure 2A 
shows an example in which certain "rules and controls" persist 
unchanged from content creator 102 to content user 112; other 
"rules and controls" are modified or deleted by distributor 106; 
and still other "rules and controls" are added by the distributor. 

"Rules and controls" can be used to protect the content 
user's privacy by limiting the information that is reported to 
other VDE participants. As one example, "rules and controls" 
can cause content usage information to be reported anonymously 
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without revealing content user identity, or it can reveal only 
certain information to certain participants (for example, 
information derived from usage) with appropriate permission, if 
required. This ability to securely control what information is 
5 revealed and what VDE participants) it is revealed to allows the 

privacy rights of all VDE participants to be protected 

Rules and Contents* Can Be Separately Delivered 

As mentioned above, virtual distribution environment 100 
"associates" content with corresponding "rules and controls," and 
prevents the content from being used or accessed unless a set of 
corresponding "rules and controls" is available. The distributor 
106 doesn't need to deliver content to control the content's 
distribution. The preferred embodiment can securely protect 
content by protecting corresponding, usage enabling "rules and 
controls" against unauthorized distribution and use. 

In some examples, "rules and controls" may travel with the 
content they apply to. Virtual distribution environment 100 also 
20 allows "rules and controls" to be delivered separately from 

content. Since no one can use or access protected content 
without "permission" from corresponding "rules and controls," the 
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distributor 106 can control use of content that has already been 
(or will in the future be) delivered. "Rules and controls" may be 
delivered over a path different from the one used for content 
delivery. "Rules and controls" may also be delivered at some 
other time. The content creator 102 might deliver content to 
content user 112 over the electronic highway 108, or could make 
the content available to anyone on the highway. Content may be 
used at the time it is delivered, or it may be stored for later use or 
reuse. 

The virtual distribution environment 100 also allows 
payment and reporting means to be delivered separately. For 
example, the content user 112 may have a virtual "credit card" 
that extends credit (up to a certain limit) to pay for usage of any 
content. Accredit transaction" can take place at the user's site 
without requiring any "online" connection or further 
authorization. This invention can be used to help securely 
protect the virtual "credit card" against unauthorized use. 

Rules and Contents" Define Processes 

Figure 3 shows an example of an overall process based on 
"rules and controls." It includes an "events" process 402, a meter 
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process 404, a billing process 406, and a budget process 408. Not 
all of the processes shown in Figure 3 will be used for every set of 
"rules and controls" 

The "events process" 402 detects things that happen 
("events") and determines which of those "events" need action by 
the other "processes " The "events" may include, for example, a 
request to use content or generate a usage permission. Some 
events may need additional processing, and others may not. 
Whether an "event" needs more processing depends on the "rules 
and controls" corresponding to the content. For example, a user 
who lacks permission will not have her request satisfied ("No 
Go"). As another example, each user request to turn to a new 
page of an electronic book may be satisfied ("Go"), but it may not 
be necessary to meter, bill or budget those requests. A user who 
has purchased a copy of a novel may be permitted to open and 
read the novel as many times as she wants to without any 
further metering, billing or budgeting. In this simple example, 
the "event process" 402 may request metering, billing and/or 
budgeting processes the first time the user asks to open the 
protected novel (so the purchase price can be charged to the 
user), and treat all later requests to open the same novel as 
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"Insignificant events." Other content (for example, searching an 
electronic telephone directory) may require the user to pay a fee 
for each access. 

5 "Meter" process 404 keeps track of events, and may report 

usage to distributor 106 and/or other appropriate VDE 
participants). Figure 4 shows that process 404 can be based on a 
number of different factors such as: 
(a) type of usage to charge for, 
10 (b) what kind of unit to base charges on, 

(c) how much to charge per unit, 

(d) when to report, and 

(e) how to pay. 

These factors may be specified by the "rules and controls" that 
15 control the meter process. 



Billing process 406 determines how much to charge for 
events. It records and reports payment information. 



20 Budget process 408 limits how much content usage is 

permitted. For example, budget process 408 may limit the 
number of times content may be accessed or copied, or it may 
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limit the number of pages or other amount of content that can be 
used based on, for example, the number of dollars available in a 
credit account. Budget process 408 records and reports financial 
and other transaction information associated with such limits. 

Content may be supplied to the user once these processes 
have been successfully performed. 

Containers and Objects 9 

Figure 5A shows how the virtual distribution environment 
100, in a preferred embodiment, may package information 
elements (content) into a a £Qataiasi n 302 so the information can't 
be accessed except as provided by its "rules and controls." 
Normally, the container 302 is electronic rather than physical. 
Electronic container 302 in one example comprises "digital" 
information having a well defined structure. Container 302 and 
its contents can be called an "object 300." 

The Figure 5A example shows items "within" and enclosed 
by container 302. However, container 302 may "contain" items 
without those items actually being stored within the container. 
For example, the container 302 may reference items that are 
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available elsewhere such as in other containers at remote sites. 
Container 302 may reference items available at different times or 
only during limited times. Some items may be too large to store 
within container 302. Items may, for example, be delivered to the 
user in the form of a "live feed" of video at a certain time. Even 
then, the container 302 "contains" the live feed (by reference) in 
this example. 

Container 302 may contain informat ion content 304 in 
electronic (such as "digital") form. Information content 304 could 
be the text of a novel, a picture, sound such as a musical 
performance or a reading, a movie or other video, computer 
software, or just about any other kind of electronic information 
you can think of. Other types of "objects" 300 (such as 
"administrative objects") may contain "administrative" or other 
information instead of or in addition to information content 304. 

In the Figure 5A example, container 302 may also contain 
"rules and controls" in the form of: 

(a) a "permissio ns record" 808: 

(b) "budgets" 308; and 

(c) "other methods" 1000. 
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Figure 5B gives some additional detail about permissions 
record 808, budgets 308 and other methods 1000. The 
"permissions record" 808 specifies the rights associated with the 
object 300 such as, for example, who can open the container 302, 
who can use the object's contents, who can distribute the object, 
and what other control mechanisms must be active. For example, 
permissions record 808 may specify a user's rights to use, 
distribute and/or administer the container 302 and its content. 
Permissions record 808 may also specify requirements to be 
applied by the budgets 308 and "other methods" 1000. 
Permissions record 808 may also contain security related 
information such as scrambling and descrambling "keys." 

"Budgets" 308 shown in Figure 5B are a special type of 
"method" 1000 that may specify, among other things, limitations 
on usage of information content 304, and how usage will be paid 
for. Budgets 308 can specify, for example, how much of the total 
information content 304 can be used and/or copied. The methods 
310 may prevent use of more than the amount specified by a 
specific budget. 
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"Other methods" 1000 define basic operations used by 
"rules and controls." Such "methods" 1000 may include, for 
example, how usage is to be "metered," if and how content 304 
and other information is to be scrambled and descrambled, and 
other processes associated with handling and controlling 
information content 304. For example, methods 1000 may record 
the identity of anyone who opens the electronic container 302, 
and can also control how information content is to be charged 
based on "metering." Methods 1000 may apply to one or several 
different information contents 304 and associated containers 302, 
as well as to all or specific portions of information content 304. 

Secure Processing Unit (SPU) 

The "VDE participants" may each have an "electronic 
a ppliance ." The appliance may be or contain a computer. The 
appliances may communicate over the electronic highway 108. 
Figure 6 shows a secure processing unit ("SPU") 500 portion of 
the "electronic appliance" used in this example by each VDE 
participant. SPU 500 processes information in a secure 
processin g environ™ en t 503, and stores important information 
securely. SPU 500 may be emulated by software operating in a 
host electronic appliance. 
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SPU 500 is enclosed within and protected by a "tamper 
resistant security barrier* 502. Security barrier 502 separates 
the secure environment 503 from the rest of the world. It 
prevents information and processes within the secure 
environment 503 from being observed, interfered with and 
leaving except under appropriate secure conditions. Barrier 502 
also controls external access to secure resources, processes and 
information within SPU 500. In one example, tamper resistant 
security barrier 502 is formed by security features such as 
"encryption," and hardware that detects tampering and/or 
destroys sensitive information within secure environment 503 
when tampering is detected. 

SPU 500 in this example is an integrated circuit ("IC") 
"chip" 504 including " hardware " 506 and "firmware" 508. SPU 
500 connects to the rest of the electronic appliance through an 
a flppli>nrq tin V K10 SPU "firmware" 508 in this example is 
"software" such as a "computer program(s)" "embedded" within 
chip 504. Firmware 508 makes the hardware 506 work. 
Hardware 506 preferably contains a processor to perform 
instructions specified by firmware 508. "Hardware" 506 also 
contains long-term and short-term memories to store information 
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securely so it can't be tampered with. SPU 500 may also have a 
protected clock/calendar used for timing events. The SPU 
hardware 506 in this example may include special purpose 
electronic circuits that are specially designed to perform certain 
processes (such as "encryption" and "decryption") rapidly and 
efficiently. 

The particular context in which SPU 500 is being used will 
determine how much processing capabilities SPU 500 should 
have. SPU hardware 506, in this example, provides at least 
enough processing capabilities to support the secure parts of 
processes shown in Figure 3. In some contexts, the functions of 
SPU 500 may be increased so the SPU can perform all the 
electronic appliance processing, and can be incorporated into a 
general purpose processor. In other contexts, SPU 500 may work 
alongside a general purpose processor, and therefore only needs 
to have enough processing capabilities to handle secure 
processes. 
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VDE Electronic Appliance and Rights Operating System" 

Figure 7 shows an example of an electronic appliance 600 
including SPU 500. Electronic appliance 600 may be practically 
any kind of electrical or electronic device, such as: 

5 



c 


a computer 


c 


a T.V. "set top" control box 


c 


a pager 


c 


a telephone 


c 


a sound system 


c 


a video reproduction system 


c 


a video game player 


c 


a "smart" credit card 



15 Electronic appliance 600 in this example may include a keyboard 

or keypad 612, a voice recognizer 613, and a display 614. A 
human user can input commands through keyboard 612 and/or 
voice recognizer 613, and may view information on display 614. 
Appliance 600 may communicate with the outside world through 

20 any of the connections/devices normally used within an electronic 

appliance. The connections/devices shown along the bottom of 
the drawing are examples: 
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a "modem" 618 or other telecommunications link; 
a CD ROM disk 620 or other storage medium or device; 
a printer 622; 
broadcast reception 624; 
5 a document scanner 626; and 

a "cable" 628 connecting the appliance with a "network." 



Virtual distribution environment 100 provides a "rights 
operating system" 602 that manages appliance 600 and SPU 500 

10 by controlling their hardware resources. The operating system 

602 may also support at least one "application" 608. Generally, 
"application" 608 is hardware and/or software specific to the 
context of appliance 600. For example, if appliance 600 is a 
personal computer, then "application" 608 could be a program 

15 loaded by the user, for instance, a word processor, a 

communications system or a sound recorder. If appliance 600 is a 
television controller box, then application 608 might be hardware 
or software that allows a user to order videos on demand and 
perform other functions such as fast forward and rewind. In this 

20 example, operating system 602 provides a standardized, well 

defined, generalized "interface" that could support and work 
with many different "applications" 608. 
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Operating system 602 in this example provides "ri ghts and 
auditing operating system functions " 604 and "other operating 
system fh nrtfons* fiOfi The "rights and auditing operating 
system functions" 604 securely handle tasks that relate to virtual 
distribution environment 100. SPU 500 provides or supports 
many of the security functions of the "rights and auditing 
operating system functions" 402. The "other operating system 
functions" 606 handle general appliance functions. Overall 
operating system 602 may be designed from the beginning to 
include the "rights and auditing operating system functions" 604 
plus the "other operating system functions" 606, or the "rights 
and auditing operating system functions" may be an add-on to a 
preexisting operating system providing the "other operating 
system functions." 

"Rights operating system" 602 in this example can work 
with many different types of appliances 600. For example, it can 
work with large mainframe computers, "minicomputers" and 
"microcomputers" such as personal computers and portable 
computing devices. It can also work in control boxes on the top of 
television sets, small portable "pagers," desktop radios, stereo 
sound systems, telephones, telephone switches, or any other 
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electronic appliance. This ability to work on big appliances as 
well as little appliances is called "scalable." A "scalable" 
operating system 602 means that there can be a standardized 
interface across many different appliances performing a wide 
variety of tasks. 

The "rights operating system functions" 604 are "services- 
based" in this example. For example, "rights operating system 
functions" 604 handle summary requests from application 608 
rather than requiring the application to always make more 
detailed "subrequests" or otherwise get involved with the 
underlying complexities involved in satisfying a summary 
request. For example, application 608 may simply ask to read 
specified information; "rights operating system functions" 604 
can then decide whether the desired information is VDE- 
protected content and, if it is, perform processes needed to make 
the information available. This feature is called "transparency." 
"Transparency" makes tasks easy for the application 608. 
"Rights operating system functions" 604 can support applications 
608 that "know" nothing about virtual distribution environment 
100. Applications 608 that are "aware" of virtual distribution 
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environment 100 may be able to make more detailed use of 
virtual distribution environment 100. 

In this example, "rights operating system functions" 604 
are "event driven". Rather than repeatedly examining the state 
of electronic appliance 600 to determine whether a condition has 
arisen, the "rights operating system functions" 604 may respond 
directly to "events" or "happenings" within appliance 600. 

In this example, some of the services performed by "rights 
operating system functions" 604 may be extended based on 
additional "components" delivered to operating system 602. 
"Rights operating system functions" 604 can collect together and 
use "components" sent by different participants at different 
times. The "components" help to make the operating system 602 
"scalable." Some components can change how services work on 
little appliances versus how they work on big appliances (e.g., 
multi-user). Other components are designed to work with specific 
applications or classes of applications (e.g., some types of meters 
and some types of budgets). 

Electronic Appliance 600 
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An electronic appliance 600 provided by the preferred 
embodiment may, for example, be any electronic apparatus that 
contains one or more microprocessors and/or microcontrollers 
and/or other devices which perform logical and/or mathematical 
calculations. This may include computers; computer terminals; 
device controllers for use with computers; peripheral devices for 
use with computers; digital display devices; televisions; video and 
audio/video projection systems; channel selectors and/or decoders 
for use with broadcast and/or cable transmissions; remote control 
devices; video and/or audio recorders; media players including 
compact disc players, videodisc players and tape players; audio 
and/or video amplifiers; virtual reality machines; electronic game 
players; multimedia players; radios; telephones; videophones; 
facsimile machines; robots; numerically controlled machines 
including machine tools and the like; and other devices 
containing one or more microcomputers and/or microcontrollers 
and/or other CPUs, including those not yet in existence. 

Figure 8 shows an example of an electronic appliance 600. 
This example of electronic appliance 600 includes a system bus 
653. In this example, one or more conventional general purpose 
central processing units ("CPUs") 654 are connected to bus 653. 
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Bus 653 connects CPU(s) 654 to RAM 656, ROM 658, and I/O 
controller 660. One or more SPUs 500 may also be connected to 
system bus 653. System bus 653 may permit SPU(s) 500 to 
communicate with CPU(s) 654, and also may allow both the 
CPU(s) and the SPU(s) to communicate (e.g., over shared address 
and data lines) with RAM 656, ROM 658 and I/O controller 660. 
A power supply 659 may provide power to SPU 500, CPU 654 and 
the other system components shown. 

In the example shown, I/O controller 660 is connected to 
secondary storage device 652, a keyboard/display 612,614, a 
communications controller 666, and a backup storage device 668. 
Backup storage device 668 may, for example, store information 
on mass media such as a tape 670, a floppy disk, a removable 
memory card, etc. Communications controller 666 may allow 
electronic appliance 600 to communicate with other electronic 
appliances via network 672 or other telecommunications links. 
DiflFerent electronic appliances 600 may interoperate even if they 
use different CPUs and different instances of ROS 602, so long as 
they typically use compatible communication protocols and/or 
security methods. In this example, I/O controller 660 permits 
CPU 654 and SPU 500 to read from and write to secondary 



-186- 



WO 96/27155 



PCTAJS96/02303 



storage 662, keyboard/display 612, 614, communications 
controller 666, and backup storage device 668. 

Secondary storage 662 may comprise the same one or 
more non-secure secondary storage devices (such as a magnetic 
disk and a CD-ROM drive as one example) that electronic 
appliance 600 uses for general secondary storage functions. In 
some implementations, part or all of secondary storage 652 may 
comprise a secondary storage device(s) that is physically enclosed 
within a secure enclosure. However, since it may not be practical 
or cost-effective to physically secure secondary storage 652 in 
many implementations, secondary storage 652 may be used to 
store information in a secure manner by encrypting information 
before storing it in secondary storage 652. If information is 
encrypted before it is stored, physical access to secondary storage 
652 or its contents does not readily reveal or compromise the 
information. 

Secondary storage 652 in this example stores code and 
data used by CPU 654 and/or SPU 500 to control the overall 
operation of electronic appliance 600. For example, Figure 8 
shows that "Rights Operating System" CROS a ) 602 (including a 
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portion 604 of ROS that provides VDE functions and a portion 
606 that provides other OS functions) shown in Figure 7 may be 
stored on secondary storage 652. Secondary storage 652 may 
also store one or more VDE objects 300. Figure 8 also shows that 
the secure files 610 shown in Figure 7 may be stored on 
secondary storage 652 in the form of a "secure database" or 
management file system 610. This secure database 610 may 
store and organize information used by ROS 602 to perform VDE 
functions 604. Thus, the code that is executed to perform VDE 
and other OS functions 604, 606, and secure files 610 (as well as 
VDE objects 300) associated with those functions may be stored 
in secondary storage 652. Secondary storage 652 may also store 
"other information" 673 such as, for example, information used by 
other operating system functions 606 for task management, non- 
VDE files, etc. Portions of the elements indicated in secondary 
storage 652 may also be stored in ROM 658, so long as those 
elements do not require changes (except when ROM 658 is 
replaced). Portions of ROS 602 in particular may desirably be 
included in ROM 658 (e.g., "bootstrap" routines, POST routines, 
etc. for use in establishing an operating environment for 
electronic appliance 600 when power is applied). 
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Figure 8 shows that secondary storage 652 may also be 
used to store code ("application programs") providing user 
application(s) 608 shown in Figure 7. Figure 8 shows that there 
may be two general types of application programs 608: "VDE 
aware" applications 608a, and Non-VDE aware applications 
608b. VDE aware applications 608a may have been at least in 
part designed specifically with VDE 100 in mind to access and 
take detailed advantage of VDE functions 604. Because of the 
"transparency" features of ROS 602, non-VDE aware applications 
608b (e.g., applications not specifically designed for VDE 100) 
can also access and take advantage of VDE functions 604. 

SECURE PROCESSING UNIT 500 

Each VDE node or other electronic appliance 600 in the 
preferred embodiment may include one or more SPUs 500. SPUs 
500 may be used to perform all secure processing for VDE 100. 
For example, SPU 500 is used for decrypting (or otherwise 
unsecuring) VDE protected objects 300. It is also used for 
managing encrypted and/or otherwise secured communication 
(such as by employing authentication and/or error-correction 
validation of information). SPU 500 may also perform secure 
data management processes including governing usage of, 
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auditing of, and where appropriate, payment for VDE objects 300 
(through the use of prepayments, credits, real-time electronic 
debits from bank accounts and/or VDE node currency token 
deposit accounts). SPU 500 may perform other transactions 
related to such VDE objects 300. 

SPU Physical Packaging and Security Barrier 502 

As shown Figure 6, in the preferred embodiment, an SPU 
500 may be implemented as a single integrated circuit "chip" 505 
to provide a secure processing environment in which confidential 
and/or commercially valuable information can be safely 
processed, encrypted and/or decrypted. IC chip 505 may, for 
example, comprise a small semiconductor "die" about the size of a 
thumbnail. This semiconductor die may include semiconductor 
and metal conductive pathways. These pathways define the 
circuitry, and thus the functionality, of SPU 500. Some of these 
pathways are electrically connected to the external "pins" 504 of 
the chip 505. 

As shown in Figures 6 and 9, SPU 500 may be surrounded 
by a tamper-resistant hardware security barrier 502. Part of this 
security barrier 502 is formed by a plastic or other package in 
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which an SPU "die" is encased. Because the processing occurring 
within, and information stored by, SPU 500 are not easily 
accessible to the outside world, they are relatively secure from 
unauthorized access and tampering. All signals cross barrier 502 
through a secure, controlled path provided by BIU 530 that 
restricts the outside world's access to the internal components 
within SPU 500. This secure, controlled path resists attempts 
from the outside world to access secret information and resources 
within SPU 500. 

It is possible to remove the plastic package of an IC chip 
and gain access to the "die." It is also possible to analyze and 
"reverse engineer" the "die" itself (e.g., using various types of 
logic analyzers and microprobes to collect and analyze signals on 
the die while the circuitry is operating, using acid etching or 
other techniques to remove semiconductor layers to expose other 
layers, viewing and photographing the die using an electron 
microscope, etc.) Although no system or circuit is absolutely 
impervious to such attacks, SPU barrier 502 may include 
additional hardware protections that make successful attacks 
exceedingly costly and time consuming. For example, ion 
implantation and/or other fabrication techniques may be used to 



-191- 



make it very difficult to visually discern SPU die conductive 
pathways, and SPU internal circuitry may be fabricated in such a 
way that it "self-destructs" when exposed to air and/or light. SPU 
500 may store secret information in internal memory that loses 
its contents when power is lost. Circuitry may be incorporated 
within SPU 500 that detects microprobing or other tampering, 
and self-destructs (or destroys other parts of the SPU) when 
tampering is detected. These and other hardware-based physical 
security techniques contribute to tamper-resistant hardware 
security barrier 502. 

To increase the security of security barrier 502 even 
further, it is possible to encase or include SPU 500 in one or more 
further physical enclosures such as, for example: epoxy or other 
"potting compound"; further module enclosures including 
additional self-destruct, self-disabling or other features activated 
when tampering is detected; further modules providing 
additional security protections such as requiring password or 
other authentication to operate; and the like. In addition, further 
layers of metal may be added to the die to complicate acid 
etching, micro probing, and the like; circuitry designed to 
"zeroize" memory may be included as an aspect of self-destruct 
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processes; the plastic package itself may be designed to resist 
chemical as well as physical "attacks"; and memories internal to 
SPU 500 may have specialized addressing and refresh circuitry 
that "shuffles" the location of bits to complicate efforts to 
5 electrically determine the value of memory locations. These and 

other techniques may contribute to the security of barrier 502. 

In some electronic appliances 600, SPU 500 may be 
integrated together with the device microcontroller or equivalent 

10 or with a device I/O or communications microcontroller into a 

common chip (or chip set) 505. For example, in one preferred 
embodiment, SPU 500 may be integrated together with one or 
more other CPU(s) (e.g., a CPU 654 of an electronic appliance) in 
a single component or package. The other CPU(s) 654 may be 

15 any centrally controlling logic arrangement, such as for example, 

a microprocessor, other microcontroller, and/or array or other 
parallel processor. This integrated configuration may result in 
lower overall cost, smaller overall size, and potentially faster 
interaction between an SPU 500 and a CPU 654. Integration 

20 may also provide wider distribution if an integrated SPU/CPU 

component is a standard feature of a widely distributed 
microprocessor line. Merging an SPU 500 into a main CPU 654 
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of an electronic appliance 600 (or into another appliance or 
appliance peripheral microcomputer or other microcontroller) 
may substantially reduce the overhead cost of implementing VDE 
100. Integration considerations may include cost of 
implementation, cost of manufacture, desired degree of security, 
and value of compactness. 

SPU 500 may also be integrated with devices other than 
CPUs. For example, for video and multimedia applications, some 
performance and/or security advantages (depending on overall 
design) could result from integrating an SPU 500 into a video 
controller chip or chipset. SPU 500 can also be integrated 
directly into a network communications chip or chipset or the 
like. Certain performance advantages in high speed 
communications applications may also result from integrating an 
SPU 500 with a modem chip or chipset. This may facilitate 
incorporation of an SPU 500 into communication appliances such 
as stand-alone fax machines. SPU 500 may also be integrated 
into other peripheral devices, such as CD-ROM devices, set-top 
cable devices, game devices, and a wide variety of other electronic 
appliances that use, allow access to, perform transactions related 
to, or consume, distributed information. 
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SPU 500 Internal Architecture 

Figure 9 is a detailed diagram of the internal structure 
within an example of SPU 500. SPU 500 in this example 
includes a single microprocessor 520 and a limited amount of 
memory configured as ROM 532 and RAM 534, In more detail, 
this example of SPU 500 includes microprocessor 520, an 
encrypt/decrypt engine 522, a DMA controller 526, a real-time 
clock 528, a bus interface unit ("BIU") 530, a read only memory 
(ROM) 532, a random access memory (RAM) 534, and a memory 
management unit ("MMU") 540. DMA controller 526 and MMU 
540 are optional, but the performance of SPU 500 may suffer if 
they are not present. SPU 500 may also include an optional 
pattern matching engine 524, an optional random number 
generator 542, an optional arithmetic accelerator circuit 544, and 
optional compression/decompression circuit 546. A shared 
address/data bus arrangement 536 may transfer information 
between these various components under control of 
microprocessor 520 and/or DMA controller 526. Additional or 
alternate dedicated paths 538 may connect microprocessor 520 to 
the other components (e.g., encrypt/decrypt engine 522 via line 
538a, real-time clock 528 via line 538b, bus interface unit 530 via 
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line 538c, DMA controller via line 538d, and memory 
management unit (MMU) 540 via line 538e). 

The following section discusses each of these SPU 
components in more detail. 

Microprocessor 520 

Microprocessor 520 is the "brain" of SPU 500. In this 
example, it executes a sequence of steps specified by code stored 
(at least temporarily) within ROM 532 and/or RAM 534. 
Microprocessor 520 in the preferred embodiment comprises a 
dedicated central processing arrangement (e.g., a RISC and/or 
CISC processor unit, a microcontroller, and/or other central 
processing means or, less desirably in most applications, process 
specific dedicated control logic) for executing instructions stored 
in the ROM 532 and/or other memory. Microprocessor 520 may 
be separate elements of a circuitry layout, or may be separate 
packages within a secure SPU 500. 

In the preferred embodiment, microprocessor 520 normally 
handles the most security sensitive aspects of the operation of 
electronic appliance 600. For example, microprocessor 520 may 
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manage VDE decrypting, encrypting, certain content and/or 
appliance usage control information, keeping track of usage of 
VDE secured content, and other VDE usage control related 
functions. 

Stored in each SPU 500 and/or electronic appliance 
secondary memory 652 may be, for example, an instance of ROS 
602 software, application programs 608, objects 300 containing 
VDE controlled property content and related information, and 
management database 610 that stores both information 
associated with objects and VDE control information. ROS 602 
includes software intended for execution by SPU microprocessor 
520 for, in part, controlling usage of VDE related objects 300 by 
electronic appliance 600. As will be explained, these SPU 
programs include "load modules" for performing basic control 
functions. These various programs and associated data are 
executed and manipulated primarily by microprocessor 520. 

Real Time Clock (ETC) 528 

In the preferred embodiment, SPU 500 includes a real time 
clock circuit ("RTC") 528 that serves as a reliable, tamper 
resistant time base for the SPU. RTC 528 keeps track of time of 
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day and date (e.g., month, day and year) in the preferred 
embodiment, and thus may comprise a combination calendar and 
clock. A reliable time base is important for implementing time 
based usage metering methods, "time aged decryption keys," and 
other time based SPU functions. 

The RTC 528 must receive power in order to operate. 
Optimally, the RTC 528 power source could comprise a small 
battery located within SPU 500 or other secure enclosure. 
However, the RTC 528 may employ a power source such as an 
externally located battery that is external to the SPU 500. Such 
an externally located battery may provide relatively 
uninterrupted power to RTC 528, and may also maintain as 
non-volatile at least a portion of the otherwise volatile RAM 534 
within SPU 500. 

In one implementation, electronic appliance power supply 
659 is also used to power SPU 500. Using any external power 
supply as the only power source for RTC 528 may significantly 
reduce the usefulness of time based security techniques unless, at 
minimnm j SPU 500 recognizes any interruption (or any material 
interruption) of the supply of external power, records such 
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interruption, and responds as may be appropriate such as 
disabling the ability of the SPU 500 to perform certain or all VDE 
processes. Recognizing a power interruption may, for example, 
be accomplished by employing a circuit which is activated by 
power failure. The power failure sensing circuit may power 
another circuit that includes associated logic for recording one or 
more power fail events. Capacitor discharge circuitry may 
provide the necessary temporary power to operate this logic. In 
addition or alternatively, SPU 500 may from time to time 
compare an output of RTC 528 to a clock output of a host 
electronic appliance 600, if available. In the event a discrepancy 
is detected, SPU 500 may respond as appropriate, including 
recording the discrepancy and/or disabling at least some portion 
of processes performed by SPU 500 under at least some 
circumstances. 

If a power failure and/or RTC 528 discrepancy and/or other 
event indicates the possibility of tampering, SPU 500 may 
automatically destroy, or render inaccessible without privileged 
intervention, one or more portions of sensitive information it 
stores, such as execution related information and/or encryption 
key related information. To provide further SPU operation, such 
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destroyed information would have to be replaced by a VDE 
clearinghouse, administrator and/or distributor, as may be 
appropriate. This may be achieved by remotely downloading 
update and/or replacement data and/or code. In the event of a 
disabling and/or destruction of processes and/or information as 
described above, the electronic appliance 600 may require a 
secure VDE communication with an administrator, 
clearinghouse, and/or distributor as appropriate in order to 
reinitialize the RTC 528. Some or all secure SPU 500 processes 
may not operate until then. 

It may be desirable to provide a mechanism for setting 
and/or synchronizing RTC 528. In the preferred embodiment, 
when communication occurs between VDE electronic appliance 
600 and another VDE appliance, an output of RTC 528 may be 
compared to a controlled RTC 528 output time under control of 
the party authorized to be "senior" and controlling. In the event 
of a discrepancy, appropriate action may be taken, including 
resetting the RTC 528 of the "junior" controlled participant in the 
communication. 

SPU Encrypt/Decrypt Engine 522 
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In the preferred embodiment, SPU encrypt/decrypt engine 
522 provides special purpose hardware (e.g., a hardware state 
machine) for rapidly and efficiently encrypting and/or decrypting 
data. In some implementations, the encrypt/decrypt functions 
may be performed instead by microprocessor 520 under software 
control, but providing special purpose encrypt/decrypt hardware 
engine 522 will, in general, provide increased performance. 
Microprocessor 520 may, if desired, comprise a combination of 
processor circuitry and dedicated encryption/decryption logic that 
may be integrated together in the same circuitry layout so as to, 
for example, optimally share one or more circuit elements. 

Generally, it is preferable that a computationally efficient 
but highly secure "bulk* encryption/decryption technique should 
be used to protect most of the data and objects handled by SPU 
500. It is preferable that an extremely secure 
encryption/decryption technique be used as an aspect of 
authenticating the identity of electronic appliances 600 that are 
establishing a communication channel and securing any 
transferred permission, method, and administrative information. 
In the preferred embodiment, the encrypt/decrypt engine 522 
includes both a symmetric key encryption/decryption circuit (e.g. 
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DES, Skipjack/Clipper, IDEA, RC-2, RC-4, etc.) and an 
antisymmetric (asymmetric) or Public Key (TK*) 
encryption/decryption circuit. The public/private key 
encryption/decryption circuit is used principally as an aspect of 
5 secure communications between an SPU 500 and VDE 

administrators, or other electronic appliances 600, that is 
between VDE secure subsystems. A symmetric 
encryption/decryption circuit may be used for "bulk" encrypting 
and decrypting most data stored in secondary storage 662 of 
10 electronic appliance 600 in which SPU 500 resides. The 

symmetric key encryption/decryption circuit may also be used for 
encrypting and decrypting content stored within VDE objects 
300. 

15 DES or public/private key methods may be used for all 

encryption functions. In alternate embodiments, encryption and 
decryption methods other than the DES and pubhc^private key 
methods could be used for the various encryption related 
functions. For instance, other types of symmetric 

20 encryption/decryption techniques in which the same key is used 

for encryption and decryption could be used in place of DES 
encryption and decryption. The preferred embodiment can 



-202- 



WO 96/27155 



PCT/US96/02303 



support a plurality of decryption/encryption techniques using 
multiple dedicated circuits within encrypt/decrypt engine 522 
and/or the processing arrangement within SPU 500. 

Pattern Matching Engine 524 

Optional pattern matching engine 524 may provide special 
purpose hardware for performing pattern matching functions. 
One of the functions SPU 500 may perform is to 
validate/authenticate VDE objects 300 and other items. 
Validation/authentication often involves comparing long data 
strings to determine whether they compare in a predetermined 
way. In addition, certain forms of usage (such as logical and/or 
physical (contiguous) relatedness of accessed elements) may 
require searching potentially long strings of data for certain bit 
patterns or other significant pattern related metrics. Although 
pattern matching can be performed by SPU microprocessor 520 
under software control, providing special purpose hardware 
pattern matching engine 524 may speed up the pattern matching 
process. 

Compression/Decompression Engine 546 
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An optional compression/decompression engine 546 may be 
provided within an SPU 500 to, for example, compress and/or 
decompress content stored in, or released from, VDE objects 300. 
Compression/decompression engine 546 may implement one or 
more compression algorithms rising hardware circuitry to 
improve the performance of compression/decompression 
operations that would otherwise be performed by software 
operating on microprocessor 520, or outside SPU 500. 
Decompression is important in the release of data such as video 
and audio that is usually compressed before distribution and 
whose decompression speed is important. In some cases, 
information that is useful for usage monitoring purposes (such as 
record separators or other delimiters) is "hidden" under a 
compression layer that must be removed before this information 
can be detected and used inside SPU 500. 

Random Number Generator 542 

Optional random number generator 542 may provide 
specialized hardware circuitry for generating random values (e.g., 
from inherently unpredictable physical processes such as 
quantum noise). Such random values are particularly useful for 
constructing encryption keys or unique identifiers, and for 
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initializing the generation of pseudo-random sequences. Random 
number generator 542 may produce values of any convenient 
length, including as small as a single bit per use. A random 
number of arbitrary size may be constructed by concatenating 
values produced by random number generator 542. A 
cryptographically strong pseudo-random sequence may be 
generated from a random key and seed generated with random 
number generator 542 and repeated encryption either with the 
encrypt/decrypt engine 522 or cryptographic algorithms in SPU 
500. Such sequences may be used, for example, in private 
headers to frustrate efforts to determine an encryption key 
through cryptoanalysis. 

Arithmetic Accelerator 544 

An optional arithmetic accelerator 544 may be provided 
within an SPU 500 in the form of hardware circuitry that can 
rapidly perform mathematical calculations such as multiplication 
and exponentiation involving large numbers. These calculations 
can, for example, be requested by microprocessor 520 or 
encrypt/decrypt engine 522, to assist in the computations 
required for certain asymmetric encryption/decryption 
operations. Such arithmetic accelerators are well-known to those 
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skilled in the art. In some implementations, a separate 
arithmetic accelerator 544 may be omitted and any necessary 
calculations may be performed by microprocessor 520 under 
software control. 

DMA Controller 526 

DMA controller 526 controls information transfers over 
address/data bus 536 without requiring microprocessor 520 to 
process each individual data transfer. Typically, microprocessor 
520 may write to DMA controller 526 target and destination 
addresses and the number of bytes to transfer, and DMA 
controller 526 may then automatically transfer a block of data 
between components of SPU 500 (e.g., from ROM 532 to RAM 
534, between encrypt/decrypt engine 522 and RAM 534, between 
bus interface unit 530 and RAM 534, etc.). DMA controller 526 
may have multiple channels to handle multiple transfers 
simultaneously. In some implementations, a separate DMA 
controller 526 may be omitted, and any necessary data 
movements may be performed by microprocessor 520 under 
software control 

Bus Interface Unit (BIU) 530 
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Bus interface unit (BIU) 530 communicates information 
between SPU 500 and the outside world across the security 
barrier 502. BIU 530 shown in Figure 9 plus appropriate driver 
software may comprise the "appliance link" 510 shown in Figure 
5 6. Bus interface unit 530 may be modelled after a USART or PCI 

bus interface in the preferred embodiment. In this example, BIU 
530 connects SPU 500 to electronic appliance system bus 653 
shown in Figure 8. BIU 530 is designed to prevent unauthorized 
access to internal components within SPU 500 and their 
10 contents. It does this by only allowing signals associated with an 

SPU 500 to be processed by control programs running on 
microprocessor 520 and not supporting direct access to the 
internal elements of an SPU 500. 



15 Memory Management Unit 540 

Memory Management Unit (MMU) 540, if present, 
provides hardware support for memory management and virtual 
memory management functions. It may also provide heightened 
security by enforcing hardware compartmentalization of the 
20 secure execution space (e.g., to prevent a less trusted task from 

modifying a more trusted task). More details are provided below 
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in connection with a discussion of the architecture of a Secure 
Processing Environment ("SPE") 503 supported by SPU 500. 

MMU 540 may also provide hardware-level support 
functions related to memory management such as, for example, 
address mapping. 

SPU Memory Architecture 

In the preferred embodiment, SPU 500 uses three general 
kinds of memory: 

(1) internal ROM 532; 

(2) internal RAM 534; and 

(3) external memory (typically RAM and/or disk supplied 
by a host electronic appliance). 

The internal ROM 532 and RAM 534 within SPU 500 
provide a secure operating environment and execution space. 
Because of cost limitations, chip fabrication size, complexity and 
other limitations, it may not be possible to provide sufficient 
memory within SPU 500 to store all information that an SPU 
needs to process in a secure manner. Due to the practical limits 
on the amount of ROM 532 and RAM 534 that may be included 
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within SPU 500, SPU 500 may store information in memory 
external to it, and move this information into and out of its 
secure internal memory space on an as needed basis. In these 
cases, secure processing steps performed by an SPU typically 
must be segmented into small, securely packaged elements that 
may be "paged in" and "paged out" of the limited available 
internal memory space. Memory external to an SPU 500 may not 
be secure. Since the external memory may not be secure, SPU 
500 may encrypt and cryptographically seal code and other 
information before storing it in external memory. Similarly, SPU 
500 must typically decrypt code and other information obtained 
from external memory in encrypted form before processing (e.g., 
executing) based on it. In the preferred embodiment, there are 
two general approaches used to address potential memory 
limitations in a SPU 500. In the first case, the small, securely 
packaged elements represent information contained in secure 
database 610. In the second case, such elements may represent 
protected (e.g., encrypted) virtual memory pages. Although 
virtual memory pages may correspond to information elements 
stored in secure database 610, this is not required in this 
example of a SPU memory architecture. 



-209- 



WO 96/27155 



PCT/US96/02303 



The following is a more detailed discussion of each of these 
three SPU memory resources. 

SPU Internal ROM 

5 SPU 500 read only memory (ROM) 532 or comparable 

purpose device provides secure internal non-volatile storage for 
certain programs and other information. For example, ROM 532 
may store "kernel" programs such as SPU control firmware 508 
and, if desired, encryption key information and certain 

10 fundamental "load modules." The "kernel" programs, load 

module information, and encryption key information enable the 
control of certain basic functions of the SPU 500. Those 
components that are at least in part dependent on device 
configuration (e.g., POST, memory allocation, and a dispatcher) 

15 may be loaded in ROM 532 along with additional load modules 

that have been determined to be required for specific 
installations or applications. 

In the preferred embodiment, ROM 532 may comprise a 
20 combination of a masked ROM 532a and an EEPROM and/or 

equivalent "flash" memory 532b. EEPROM or flash memory 
532b is used to store items that need to be updated and/or 
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initialized, such as for example, certain encryption keys. An 
additional benefit of providing EEPROM and/or flash memory 
532b is the ability to optimize any load modules and library 
functions persistently stored within SPU 500 based on typical 
usage at a specific site. Although these items could also be 
stored in NVRAM 534b, EEPROM and/or flash memory 532b 
may be more cost effective. 

Masked ROM 532a may cost less than flash and/or 
EEPROM 532b, and can be used to store permanent portions of 
SPU software/firmware. Such permanent portions may include, 
for example, code that interfaces to hardware elements such as 
the RTC 528, encryption/decryption engine 522, interrupt 
handlers, key generators, etc. Some of the operating system, 
library calls, libraries, and many of the core services provided by 
SPU 500 may also be in masked ROM 532a. In addition, some of 
the more commonly used executables are also good candidates for 
inclusion in masked ROM 532a. Items that need to be updated or 
that need to disappear when power is removed from SPU 500 
should not be stored in masked ROM 532a. 



-211- 



WO 96/27155 



PCTAJS96/02303 



Under some circumstances, RAM 534a and/or NVRAM 
534b (NVRAM 534b may, for example, be constantly powered 
conventional RAM) may perform at least part of the role of ROM 
532. 

SPU Internal RAM 

SPU 500 general purpose RAM 534 provides, among other 
things, secure execution space for secure processes. In the 
preferred embodiment, RAM 534 is comprised of different types 
of RAM such as a combination of high-speed RAM 534a and an 
NVRAM ("non-volatile RAM") 534b. RAM 534a may be volatile, 
while NVRAM 534b is preferably battery backed or otherwise 
arranged so as to be non-volatile (i.e., it does not lose its contents 
when power is turned off). 

High-speed RAM 534a stores active code to be executed 
and associated data structures. 

NVRAM 534b preferably contains certain keys and 
summary values that are preloaded as part of an initialization 
process in which SPU 500 communicates with a VDE 
administrator, and may also store changeable or changing 
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information associated with the operation of SPU 500. For 
security reasons, certain highly sensitive information (e.g., 
certain load modules and certain encryption key related 
information such as internally generated private keys) needs to 
be loaded into or generated internally by SPU 500 from time to 
time but, once loaded or generated internally, should never leave 
the SPU. In this preferred embodiment, the SPU 500 
non- volatile random access memory (NVRAM) 534b may be used 
for securely storing such highly sensitive information. NVRAM 
534b is also used by SPU 500 to store data that may change 
frequently but which preferably should not be lost in a power 
down or power fail mode. 

NVRAM 534b is preferably a flash memory array, but may 
in addition or alternatively be electrically erasable programmable 
read only memory (EEPROM), static RAM (SRAM), bubble 
memory, three dimensional holographic or other electro-optical 
memory, or the like, or any other writable (e.g., randomly 
accessible) non-volatile memory of sufficient speed and 
cost-eflFectiveness . 

SPU External Memory 
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The SPU 500 can store certain information on memory 
devices external to the SPU. If available, electronic appliance 600 
memory can also be used to support any device external portions 
of SPU 500 software. Certain advantages may be gained by 
allowing the SPU 500 to use external memory. As one example, 
memory internal to SPU 500 may be reduced in size by using 
non- volatile read/write memory in the host electronic appliance 
600 such as a non-volatile portion of RAM 656 and/or ROM 658. 

Such external memory may be used to store SPU 
programs, data and/or other information. For example, a VDE 
control program may be, at least in part, loaded into the memory 
and communicated to and decrypted within SPU 500 prior to 
execution. Such control programs may be re-encrypted and 
communicated back to external memory where they may be 
stored for later execution by SPU 500. "Kernel" programs and/or 
some or all of the non-kernel "load modules" may be stored by 
SPU 500 in memory external to it. Since a secure database 610 
may be relatively large, SPU 500 can store some or all of secure 
database 610 in external memory and call portions into the SPU 
500 as needed. 
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As mentioned above, memory external to SPU 500 may not 
be secure. Therefore, when security is required, SPU 500 must 
encrypt secure information before writing it to external memory, 
and decrypt secure information read from external memory 
5 before using it. Inasmuch as the encryption layer relies on secure 

processes and information (e.g., encryption algorithms and keys) 
present within SPU 500, the encryption layer effectively 
"extends" the SPU security barrier 502 to protect information the 
SPU 500 stores in memory external to it. 

10 

SPU 500 can use a wide variety of different types of 
external memory. For example, external memory may comprise 
electronic appliance secondary storage 652 such as a disk; 
external EEPROM or flash memory 658; and/or external RAM 
15 656. External RAM 656 may comprise an external nonvolatile 

(e.g. constantly powered) RAM and/or cache RAM. 

Using external RAM local to SPU 500 can significantly 
improve access times to information stored externally to an SPU. 
20 For example, external RAM may be used: 

C to buffer memory image pages and data structures prior to 

their storage in flash memory or on an external hard disk 
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